SMTP Collector

See the design guide for an overview of using ACE to scan emails extracted from SMTP session data.

Installation

  1. Install zeek into /opt/bro.
  2. Symlink the /opt/ace/bro directory to /opt/bro/share/zeek/site/ace.
  3. Edit /opt/bro/share/zeek/site/local.zeek and add the following lines at the end of the file.
redef ignore_checksums = T;
@load ace/ace_local
@load ace/ace_smtp
  1. Edit bro/ace_local.zeek and modify the record_smtp_stream if required.
  2. Start or restart zeek.

Configuration

The [bro] section of the configuration settings define what directory the SMTP session files are stored in relative to the data directory.

[bro]
; the directory that contains the SMTP streams generated by bro/ace_smtp.bro (relative to DATA_DIR)
smtp_dir = var/bro/smtp

Monitoring and Maintenance

The smtp_dir directory should be monitored for file age and file count. Files that are old should be investigated in the logs to discover why they were not processed. You can manually create the .ready files to force the system to process them.

If the number of files in this directory is growing then the collector is either not running or unable to process the files fast enough.