policy/protocols/smtp/software.zeek
- SMTP
This script feeds software detected through email into the software framework. Mail clients and webmail interfaces are the only thing currently detected.
TODO:
Find some heuristic to determine if email was sent through a MS Exchange webmail interface as opposed to a desktop client.
- Namespace
SMTP
- Imports
base/frameworks/software/main.zeek, base/protocols/smtp/main.zeek
Summary
Runtime Options
Assuming that local mail servers are more trustworthy with the headers they insert into message envelopes, this default makes Zeek not attempt to detect software in inbound message bodies. |
|
A regular expression to match USER-AGENT-like headers to find if a message was sent with a webmail interface. |
Redefinitions
|
|
Detailed Interface
Runtime Options
- SMTP::detect_clients_in_messages_from
-
Assuming that local mail servers are more trustworthy with the headers they insert into message envelopes, this default makes Zeek not attempt to detect software in inbound message bodies. If mail coming in from external addresses gives incorrect data in the Received headers, it could populate your SOFTWARE logging stream with incorrect data. If you would like to detect mail clients for incoming messages (network traffic originating from a non-local address), set this variable to EXTERNAL_HOSTS or ALL_HOSTS.
- SMTP::webmail_user_agents
- Type
- Attributes
- Default
/^?((^?((^?((^?((^?((^?(^iPlanet Messenger)$?)|(^?(^Sun Java\(tm\) System Messenger Express)$?))$?)|(^?(\(IMP\))$?))$?)|(^?(^SquirrelMail)$?))$?)|(^?(^NeoMail)$?))$?)|(^?(ZimbraWebClient)$?))$?/
A regular expression to match USER-AGENT-like headers to find if a message was sent with a webmail interface.