Bro appears to sometimes truncate files extracted from SMTP attachments.
I have a PCAP containing an email. The email has two zip files attached.
Outlook (and MailView) are able to extract both zip files. Bro successfully extracts the first zip file, but omits the last few bytes of the second zip's End of central directory record.
This bug does not manifest for all zip attachments. I was not able to determine a reason as to why one attachment was successfully extracted and why the other wasn't.
Within the PCAP with the bug, both attachments have a Content-Type of "application/octet-stream" and are base64 encoded.
I unfortunately cannot upload the PCAP.
Security Onion 14.04.5.1 (x64)