Email (SMTP) PCAP

pcap
emails
redundancy
triggers

#1

Hi all!

Was working on figuring out if I was getting duplicate/redundant emails from an Exchange server, so I wrote up this quick trigger to PCAP emails send to/from specific addresses.

Notes:
1) If you’re email is encrypted, you’ll need to install SSL cert on the ExtraHop.
2) Event is SMTP_REQUEST.
3) Debugging will show a) what/if the trigger is firing on and b) if a PCAP was generated.
4) Can be assigned to SMTP client or server.
5) Make sure you get the uppercase/lowercase right on the email address, I spend an hour figuring out why it wasn’t working. :confused:

Enjoy!

/*
 * Name: Email PCAP
 * Version Date: 7/20/2016
 * EDA version: 5.3+
 * Event: SMTP_REQUEST
 * Description: Trigger generates PCAP when email sender/recipient combination matches.  
 *              Edit configuration section to match sender/recipient and pcap name
 */

/*-----------------------------------------------------*/
/*-----------  Configuration Section ------------------*/
/*-----------------------------------------------------*/

var sender = 'joe.mahma@email.com';
var recipient = 'josie.ster@email.com';
var pcapName = 'name of pcap';

/*-----------------------------------------------------*/
/*--------  Configuration Section End -----------------*/
/*-----------------------------------------------------*/

var emailFrom = SMTP.sender;
var emailTo = SMTP.recipient;
var emailToMany = SMTP.recipientList;

if ( event === "SMTP_REQUEST") {
    if ( ( emailFrom === sender) 
    && ( (emailToMany.indexOf(recipient) > -1 )
    || ( (emailTo === recipient) ) ) ) {
        debug('Email from: ' + emailFrom + 
              ' To: ' + emailTo +
              ' To Many: '   + emailToMany +
              ' L2Bytes: '   + SMTP.reqL2Bytes + 
              ' Packets (req/res): ' + SMTP.reqPkts + '/' + SMTP.rspPkts);

        var opts = { maxPackets: 1000 };  // You may need to adjust this number if you're not getting entire email.
        Flow.captureStart(pcapName, opts);
        debug( 'PCAP processed');
    }
}