stoQ plugin parses SMTP sessions and extracts attachments.
All options below may be set by:
The speed of the UnicodeDammit decoder from BeautifulSoup module is much faster when the cchardet module is installed,
but will fall back to the chardet module if it is not installed.
-
omit_body[True/False]: Save body of e-mail (text or html) to the results. -
always_dispatch[str] = Comma separated list of stoQ plugins to always send extracted attachments to -
archive_attachments[True/False]: Should attachments be archived? -
extract_iocs[True/False]: Useiocextractplugin to extract IOCs from objects defined inioc_keys -
ioc_keys[str]: Comma separated list of SMTP headers to extract IOCs from. May also includebodyand/orbody_htmlto include e-mail body content.
Monitor /home/stoq/Maildir/new for new files using the dirmon provider plugin, then scan the SMTP session using the smtp plugin. If any attachments are extracted, automatically send them to the hash and yara plugins and archive them to /home/stoq/archive with the filedir plugin. Additionally, let's also extract any IOC's found in the SMTP headers and e-mail body using the iocextract plugin. Finally, the results will be saved to /home/stoq/results using the filedir plugin:
$ stoq run -P dirmon -A filedir -C filedir -s smtp --plugin-opts \
dirmon:source_dir=/home/stoq/Maildir/new \
filedir:archive_dir=/home/stoq/archive \
filedir:results_dir=/home/stoq/results \
smtp:always_dispatch=hash,yara \
smtp:archive_attachments=True \
smtp:extract_iocs=True