policy/protocols/smtp/software.zeek

SMTP

This script feeds software detected through email into the software framework. Mail clients and webmail interfaces are the only thing currently detected.

TODO:

  • Find some heuristic to determine if email was sent through a MS Exchange webmail interface as opposed to a desktop client.

Namespace

SMTP

Imports

base/frameworks/software/main.zeek, base/protocols/smtp/main.zeek

Summary

Runtime Options

SMTP::detect_clients_in_messages_from: Host &redef

Assuming that local mail servers are more trustworthy with the headers they insert into message envelopes, this default makes Zeek not attempt to detect software in inbound message bodies.

SMTP::webmail_user_agents: pattern &redef

A regular expression to match USER-AGENT-like headers to find if a message was sent with a webmail interface.

Redefinitions

SMTP::Info: record

New Fields

SMTP::Info

is_webmail: bool &log &default = F &optional

Boolean indicator of if the message was sent through a webmail interface.

Software::Type: enum

Detailed Interface

Runtime Options

SMTP::detect_clients_in_messages_from
Type

Host

Attributes

&redef

Default

LOCAL_HOSTS

Assuming that local mail servers are more trustworthy with the headers they insert into message envelopes, this default makes Zeek not attempt to detect software in inbound message bodies. If mail coming in from external addresses gives incorrect data in the Received headers, it could populate your SOFTWARE logging stream with incorrect data. If you would like to detect mail clients for incoming messages (network traffic originating from a non-local address), set this variable to EXTERNAL_HOSTS or ALL_HOSTS.

SMTP::webmail_user_agents
Type

pattern

Attributes

&redef

Default
/^?((^?((^?((^?((^?((^?(^iPlanet Messenger)$?)|(^?(^Sun Java\(tm\) System Messenger Express)$?))$?)|(^?(\(IMP\))$?))$?)|(^?(^SquirrelMail)$?))$?)|(^?(^NeoMail)$?))$?)|(^?(ZimbraWebClient)$?))$?/

A regular expression to match USER-AGENT-like headers to find if a message was sent with a webmail interface.