<div dir="ltr"><span style="color:rgba(0,0,0,0.87);font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:14px">Hi</span><div><font color="rgba(0, 0, 0, 0.870588235294118)" face="Roboto, RobotoDraft, Helvetica, Arial, sans-serif"><span style="font-size:14px">I&#39;m running Security Onion with Zeek 3.0.7.</span></font></div><div><font color="rgba(0, 0, 0, 0.870588235294118)" face="Roboto, RobotoDraft, Helvetica, Arial, sans-serif"><span style="font-size:14px"><br></span></font><div style="color:rgba(0,0,0,0.87);font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:14px">I have a client accessing a NAS. Whenever a client accesses a folder containing executables, Zeek will detect a &quot;bro_smb_files&quot; event type for all the executable in the folder, even though the client did not open these executables.</div><div style="color:rgba(0,0,0,0.87);font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:14px"><br></div><div style="color:rgba(0,0,0,0.87);font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:14px">There would be an action of &quot;SMB::FILE OPEN&quot; for all these executables and it would be extracted to the &quot;nsm/bro/extracted&quot; folder.</div><div style="color:rgba(0,0,0,0.87);font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:14px"><br></div><div style="color:rgba(0,0,0,0.87);font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:14px">Is this the default behaviour as it seems odd that  the files are extracted even though they did not cross the wire?</div><div style="color:rgba(0,0,0,0.87);font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:14px"><br></div><div style="color:rgba(0,0,0,0.87);font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:14px">I&#39;m also a little confused over &quot;SMB::FILE OPEN&quot; action when I referenced Zeek documentation. Does it mean the file was &quot;open&quot; even though the client only accessed the mapped folder?</div><div style="color:rgba(0,0,0,0.87);font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:14px"><br></div><div style="color:rgba(0,0,0,0.87);font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:14px">The follow up question on this would be forensic integrity of the files. Would this weird SMB behavior affect the &quot;access&quot; date of the file (I am referring to MACB dates of file).</div><div style="color:rgba(0,0,0,0.87);font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:14px"><br></div><div style="color:rgba(0,0,0,0.87);font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:14px">thank you</div><div style="color:rgba(0,0,0,0.87);font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:14px"><br></div></div></div>