AnsweredAssumed Answered

Mail From email.src Custom Parser

Question asked by RSA Admin Employee on Aug 28, 2013
Latest reply on Feb 4, 2014 by adimenia

Hi All,

 

I have been having some serious frustrations trying to populate the email.src meta field.

 

I have asked RSA directly how to populate this and they informed me that its used for Logs not packets. however the email parser that comes with LIVE content only populates 'email' making it almost impossible to drill based on a sender. (for instance only wanting outbound mail instead of everything an email address sent or received.

 

Anyhow, I was told I would need a custom parser to achieve my objective, and this is what I have come up with:

 

<parser Name="From Mail Parser" desc="Version 0.1">
<!-- Parser Created by David McClennon @ Integralis.com -->
<declaration>
<!-- Declare meta keys to be used in this parser-->
<meta format="Text" key="email.dst" name="recipient"/>
<meta format="Text" key="email.src" name="sender"/>


<!-- Mail from and To identifiers to Match -->
<token name="MailFrom" value="MAIL FROM:<" options="linestart"/>


<!-- Position Identifiers -->
<number name="vMailPosition" scope="stream" />
<number name="vMailStop" scope="steam" />
<!-- Variables for holding strings -->
 <string name="vEmailAddress" scope="stream" />
</declaration>

<!-- Evaluate From mail match -->
 <match name="MailFrom">
 <!-- Find ">" within 512 bytes -->
 <find name="vMailPosition" value="&#x3C;" length="512">
 <!-- when found, assign contents between current potistion and vmailPosition to vEmailAddress -->
 <read name="vEmailAddress" length="$vMailPosition">
 <register name="sender" value="$vEmailAddress" />
 </read>
 </find>
 </match>         
    </match>

</parser>

 

But for love nor money can I get it to work properly. I have tried a number of match combinations including encoding the "MAIL FROM:" in various formats, but cannot seem to get it to match or register the email address in the email.src register.

 

If anyone can see what I have done wrong, or have any suggestions, I would be most grateful.

 

Regards


Dave

Outcomes