This package/policies have been updated to work with zeek (new broker framework).

Primary scope of these zeek policies is to give more insights into smtp-analysis esp to track phishing events.

This is a subset of phish-analysis repo and doesn't use any backed postgres database. So relieves the user from postgres dependency while getting basic phishing detection up and running very quickly.

Following functionality are provided by the script

:: 1) Works in a cluster and standalone mode 2) extracts URLs from Emails and logs them to smtpurl_links.log 3) Tracks these SMTP urls in http analyzer and logs if any of these SMTP URL has been clicked into a file smtp_clicked_urls.log 4) Reads a file for malicious indicators and generates an alert of any of those inddicators have a HIT in smtp traffic (see below for more details) 5) Generates alerts if suspicious strings are seen in URL (see below for details) 6) Generates alerts if a SMTP URL is clicked resulting in a file download


zkg install initconf/smtp-url-analysis or @load smtp-url-analysis/scripts


$ zkg upgrade zeek/initconf/smtp-url-analysis.git The following packages will be UPGRADED: zeek/initconf/smtp-url-analysis.git (master)

Proceed? [Y/n] y Running unit tests for "zeek/initconf/smtp-url-analysis.git" all 7 tests successful Upgraded "zeek/initconf/smtp-url-analysis.git" (master)

Detailed Notes:

All the configuration variables are in the following file. Please modify as needed:


Note: Make sure you replace "" in the file with your domain name(s)

Detail Alerts and descriptions: Following alerts are generated by the script:

Heuristics in smtp-malicious-indicators.zeek are used to flag known sensitve IoC's (sort of your local smtp intel feed).

This should generate following Kinds of notices:

  • Malicious_MD5,
  • Malicious_Attachment,
  • Malicious_Indicator,
  • Malicious_Mailfrom,
  • Malicious_Mailto,
  • Malicious_from,
  • Malicious_reply_to,
  • Malicious_subject,
  • Malicious_rcptto,
  • Malicious_path,
  • Malicious_Decoded_Subject

To activate these notices a sample smtp_malicious_indicators.out is provided in "scripts/feeds" directory. You either need to populate that or redef smtp_indicator_feed in configure-variables-in-this-file.zeek:

redef Phish::smtp_indicator_feed = "/feeds/BRO-feeds/smtp_malicious_indicators.out" ;

I have a cron job which scraps various email indicators (senders, subject, attachment, md5 hash etc) from various phish related feeds/notices and periodically creates this one file: /feeds/BRO-feeds/smtp_malicious_indicators.out. Bro reads this file using input-framework ie new additions/append/removal to this file doesn't requre zeek to be restarted.

Note: 1) Make sure the fields inthefile are <tab> seperated. 2) Make sure format of above feed file complies to:

Here is a sample format

#fields indicator description "At Your Service" <> Some random comment some random comment f402e0713127617bda852609b426caff some bad hash HelpDesk some bad subject

Example alert: - Phish::Malicious_rcptto

Aug 24 11:26:06 CPLZuO3KTSDHx9mCC1 36906 25 tcp Phish::Malicious_rcptto Malicious rectto :: [, description=random test ], 25 zeek Notice::ACTION_EMAIL,Notice::ACTION_LOG 60.000000 F - - - - -

smtp-sensitive-uris.zeek will generate following alerts

  • SensitiveURI
  • Dotted_URL
  • Suspicious_File_URL
  • Suspicious_Embedded_Text
  • WatchedFileType
  • BogusSiteURL

Example Alert: BogusSiteURL

1503599166.565855 CPLZuO3KTSDHx9mCC1 36906 25 - - - tcp Phish::BogusSiteURL Very similar URL to site: from - 25 - zeek Notice::ACTION_EMAIL,Notice::ACTION_LOG 3600.000000 F - - - - -

Again see configure-variables-in-this-file.zeek for tweaking and tunning

Example Alert: FileDownload

Malicious file download: If a link in an email is clicked and results in a file download, this module can generate an alert of that as well.

1481499234.568566 CQa9SJ1adwAqlPDcKj 49067 80 FxrREO3dgcnSlAQZO8 application/x-dosexec sgtatham/putty/0.67/x86/putty.exe tcp Phish::FileDownload [ts=1481431889.562629, uid=CX5ROKa8g7WcfnET4, from=Bad Guy <>, to=John Doe <>, subject=putty.exe, referrer=[]] sgtatham/putty/0.67/x86/putty.exe 80 - zeek Notice::ACTION_LOG 3600.000000 F

Example Alert: Phish::DottedURL

Watch for URLs which only have IP address instead of domain names in them - another sign of maliciousness

1483418588.406004 CNDcli3Oo5dFqrJNhi 46134 25 - - - tcp Phish::DottedURL Embeded IP in URL from - 25 - zeek Notice::ACTION_LOG 3600.000000 F

Example Alert: SensitiveURI

Generates an Alert when a string in URL matches signature defined in "suspicious_text_in_url" available in configure-variables-in-this-file.zeek

1351714828.429308 CAmJxI1WlO5E5bWxCj 1277 25 - - - tcp Phish::SensitiveURI Suspicious text embeded in URL from CAmJxI1WlO5E5bWxCj - 25 - zeek Notice::ACTION_LOG 3600.000000 F

Example Alert: Phish::WatchedFileType

Simple regexp match on file extensions. This is a noisy notice but useful for logging. for critical files flagging use (3) above which is malicious file download based on mime-types.

1481431889.683598 CxGUuzDvWCpUdFI27 35030 25 - - - tcp Phish::WatchedFileType Suspicious filetype embeded in URL sgtatham/putty/0.67/x86/putty.exe from - 25 - zeek Notice::ACTION_LOG 3600.000000 F

Example Alert: SensitivePOST

This is generated when a URL in an email is clicked and results in a HTTP Post request. Often this is how passwords are transmitted on phishing sites.

1449085047.857802 COuvQB1n4JF3MILQUa 57106 80 - - - tcp Phish::HTTPSensitivePOST Request: /cli/ - Data: type=G+Mail& - 80 - zeek Notice::ACTION_LOG 3600.000000 F

Notice in alert below:

Example Alert: SensitivePassword

Alert is triggered when a password transmitted in HTTP SensitivePost is associated with a username related to sites' domain and the password meets the site's password complexity.

1467998894.642754 Ce3m7XMMIuScmhJu9 64310 80 - - - tcp HTTP::SensitivePasswd Request: /electacta/login_action.asp - Data:$11&rememberMe=on&role=editor&bypass=&rememberUser=1&ignoreWarning=0 - 80 - zeek Notice::ACTION_LOG 3600.000000 F


This module should generate two different logs - smtpurl_links.log - smtp_clicked_urls.log


This is a log of all URLs extracted from emails. A sample looks like this


This is log of URLs from email which are 'clicked' on - ie which are later seen by the HTTP analyzer.

#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p host url mail_ts mail_uid from to subject referrer #types time string addr port addr port string string time string string string string string

1449081495.794583 CtxTCR2Yer0FR1tIBg 61291 80 1449081435.863394 CHhAvVGS1DHFjwGM9 Maggie Stoeva <> undisclosed-recipients:; (2) Important Document from Maggie Stoeva (empty) 1449085026.214280 CPhDKt12KQPUVbQz06 57064 80 1449081435.863394 CHhAvVGS1DHFjwGM9 Maggie Stoeva <> undisclosed-recipients:; (2) Important Document from Maggie Stoeva (empty)

Package Version :