Thanks for the clarification.  I see the foundation already built for already-parsed MIME content, to include attachments, in the smtp_intel_nugget.c.  Here is a snippet of the code from the smtp_intel_nugget.c:



static char SRC_IP[] = "";

static char DST_IP[] = "";

static char MAIL_FROM[] = "";

static char RCPT_TO[] = "";

static char SUBJECT[] = "Hey, check out this new 0-day!";

static char MSG_FROM[] = "";

static char MSG_TO[] = "";

static char BODY_TXT[] = "Wow, man, this is awesome!";

static char DATE_TXT[] = "2010-07-15 14:38:49";

static unsigned char ATTACHMENT1[] = "DUDE DUDE DUDE!";

static char ATTACHMENT1_NAME[] = "Dude.txt";

static unsigned char ATTACHMENT2[] = "I GOT NO NAME";


int main(int argc, char ** argv)


    const BASE_MAIL_DATA mail =


        .src_ip = SRC_IP,

        .dst_ip = DST_IP,

        .mail_from = MAIL_FROM,

        .rcpt_to = RCPT_TO,

        .subject = SUBJECT,

        .msg_from = MSG_FROM,

        .msg_to = MSG_TO,


    unsigned mail_id;


//…skipped the read config options stuff…


    printf("<---Intel Nugget--->\n");

    printf("Src ip: %s\n", mail.src_ip);

    printf("Dst ip: %s\n", mail.dst_ip);

    printf("<----Intel API---->\n");


    sendNewMail(&mail, &mail_id);

    printf("Mail ID is %u\n", mail_id);

    printf("<---Mail Submitted: %u--->\n", mail_id);


    addMailData(BODY, BODY_TXT, mail_id);


    addMailData(MSG_ID, BODY_TXT, mail_id);


    addMailData(MIME_VER, BODY_TXT, mail_id);


    addMailData(LANGUAGE, BODY_TXT, mail_id);


    addMailData(MAILER, BODY_TXT, mail_id);


    addMailData(THREAD_IDX, BODY_TXT, mail_id);


    addMailData(XBLOCK, BODY_TXT, mail_id);


    addMailData(HEADER_DATE, DATE_TXT, mail_id);



    sendMailAttachment(sizeof(ATTACHMENT1) - 1, ATTACHMENT1, ANY_DATA_API, ATTACHMENT1_NAME, mail_id);


    sendMailAttachment(sizeof(ATTACHMENT2) - 1, ATTACHMENT2, ANY_DATA_API, NULL, mail_id);

    printf("<---END ATTACHMNETS--->\n");

    printf("<--Run Complete-->\n");


    return 0;




The sendMailAttachment() function references the file name and, I’m assuming, the data within the file itself (array called ATTACHMENT1[] or ATTACHMENT2[]).  However, this data appears to be hardcoded as text/ASCII data.  How do I dynamically fill the ATTACHMENT[] array with file content (even non-ASCII-printable)?





From: Patrick Mullen []
Sent: Monday, October 04, 2010 10:13 AM
To: David Merritt
Subject: Re: [Nuggetfarm-users] Using SaaC for emails



The SaaC is already set up to extract all data going from the client to the smtp server, which it sends  to the dispatcher.  The dispatcher then sends this stream data to the smtp_parser, which splits out all mime components, runs them through libmagic to determine what type of data it is, then sends the data to the dispatcher for further processing.

I'm not sure that the smtp intel stuff is in the smtp_parser;  I think the only intel nugget we have is in http.  If you wanted to add this functionality, smtp_nugget is the place to do it and we would live the contribution!

I think this answers your questions, but if not I'll be more than happy to help when I get to the office.



On Oct 4, 2010 8:26 AM, "David Merritt" <> wrote:
> I'm setting up a malicious email detection framework much like that
> presented at Defcon. My malware detection engines are not going to be
> off-the-shelf antivirus products like ClamAV. Thus, my focus is on using
> SaaC to collect emails and then extracting certain attachments (for example:
> doc, excel, ppt, pdf, and exe) and also extracting URLs, if possible.
> 1) Within the context of the default, out-of-the-box setup of Razorback
> 0.1.1, do I need to create a Snort rule to capture all SMTP traffic?
> 2) Does the smtp_parser sample nugget parse a TCP stream into SMTP (its
> source code isn't explicitly obvious to me)? If so, then what does SaaC
> feed the Dispatcher?
> 3) I see references to email attachments in the smtp_intel_nugget.c and also
> the mysql database, but how/where do the attachments get stripped/extracted?
> David