Log attempted SMTP connections

Description

The SMTP analyzer currently use a message transfer as the logging unit. However, extracting additional, non-message related information into the logs and bro script-land would be helpful.

For example, I will sometimes see botnets attempt to brute force login to SMTP servers, but will not succeed (and thus will not send a message). I would like to (1) be able to review more of my valid SMTP traffic (even if it's not information about mail that was sent) via a log (perhaps smtp.log, perhaps something else), and (2) raise a notice actions based on certain observed patterns (for instance, a known malicious HELO string for a botnet).

Environment

None

Assignee

Unassigned

Reporter

Jon Zeolla

Labels

External issue ID

None

Components

Affects versions

Priority

Normal
Configure