SMTP attachment data truncated

Description

Bro appears to sometimes truncate files extracted from SMTP attachments.

I have a PCAP containing an email. The email has two zip files attached.

Outlook (and MailView) are able to extract both zip files. Bro successfully extracts the first zip file, but omits the last few bytes of the second zip's End of central directory record.

This bug does not manifest for all zip attachments. I was not able to determine a reason as to why one attachment was successfully extracted and why the other wasn't.

Within the PCAP with the bug, both attachments have a Content-Type of "application/octet-stream" and are base64 encoded.

I unfortunately cannot upload the PCAP.

Environment

Security Onion 14.04.5.1 (x64)

Assignee

Unassigned

Reporter

Moshe Kaplan

Labels

External issue ID

None

Components

Affects versions

Priority

Normal
Configure