Imports:base/utils/addrs.bro, base/utils/directions-and-hosts.bro, base/utils/email.bro
Source File:/scripts/base/protocols/smtp/main.bro


Runtime Options

SMTP::mail_path_capture: Host &redef Direction to capture the full “Received from” path.


SMTP::log_smtp: event  


SMTP::describe: function Create an extremely shortened representation of a log line.

Detailed Interface

Runtime Options

Direction to capture the full “Received from” path.
REMOTE_HOSTS - only capture the path until an internal host is found. LOCAL_HOSTS - only capture the path until the external host is discovered. ALL_HOSTS - always capture the entire path. NO_HOSTS - never capture the path.




ts: time &log

Time when the message was first seen.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

trans_depth: count &log

A count to represent the depth of this message transaction in a single connection where multiple messages were transferred.

helo: string &log &optional

Contents of the Helo header.

mailfrom: string &log &optional

Email addresses found in the From header.

rcptto: set [string] &log &optional

Email addresses found in the Rcpt header.

date: string &log &optional

Contents of the Date header.

from: string &log &optional

Contents of the From header.

to: set [string] &log &optional

Contents of the To header.

cc: set [string] &log &optional

Contents of the CC header.

reply_to: string &log &optional

Contents of the ReplyTo header.

msg_id: string &log &optional

Contents of the MsgID header.

in_reply_to: string &log &optional

Contents of the In-Reply-To header.

subject: string &log &optional

Contents of the Subject header.

x_originating_ip: addr &log &optional

Contents of the X-Originating-IP header.

first_received: string &log &optional

Contents of the first Received header.

second_received: string &log &optional

Contents of the second Received header.

last_reply: string &log &optional

The last message that the server sent to the client.

path: vector of addr &log &optional

The message transmission path, as extracted from the headers.

user_agent: string &log &optional

Value of the User-Agent header from the client.

tls: bool &log &default = F &optional

Indicates that the connection has switched to using TLS.

process_received_from: bool &default = T &optional

Indicates if the “Received: from” headers should still be processed.

has_client_activity: bool &default = F &optional

Indicates if client activity has been seen, but not yet logged.

entity: SMTP::Entity &optional

(present if base/protocols/smtp/entities.bro is loaded)

The current entity being seen.

fuids: vector of string &log &default = [] &optional

(present if base/protocols/smtp/files.bro is loaded)

An ordered vector of file unique IDs seen attached to the message.

is_webmail: bool &log &default = F &optional

(present if policy/protocols/smtp/software.bro is loaded)

Boolean indicator of if the message was sent through a webmail interface.



helo: string &optional

messages_transferred: count &default = 0 &optional

Count the number of individual messages transmitted during this SMTP session. Note, this is not the number of recipients, but the number of message bodies transferred.

pending_messages: set [SMTP::Info] &optional

mime_depth: count &default = 0 &optional

(present if base/protocols/smtp/entities.bro is loaded)

Track the number of MIME encoded files transferred during a session.


Type:event (rec: SMTP::Info)


Type:function (rec: SMTP::Info) : string

Create an extremely shortened representation of a log line.

Copyright 2016, The Bro Project. Last updated on January 10, 2019. Created using Sphinx 1.7.5.