[Bro] SMB connections
vladg at illinois.edu
Mon Nov 30 09:08:17 PST 2015
The Exfil Framework is developed by someone from Reservoir Labs. Please
contact them with any questions.
That being said, note that SMB support in Bro is a best-effort
implementation of part of the specification (and very different from
what's actually seen on the wire), so detecting exfil over SMB likely
won't work at all.
Zied Turki <zied.turki at outlook.com> writes:
> Hello Bro Community,
> I am working on the data exfiltration and I have just tested the Exfil Framework.
> I have noticed, that the script failed to detect file uploads from the file server using SMB protocol. Looking to the connections logs (conn.log), the SMB connections are unfortunately not logged.
> Would it be a known issue ? or should I tune some params ?
> Please note that the trafic arrives to Bro machine (I have checked using tcpdump).
> Many thanks,
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151130/d4c05488/attachment.bin
More information about the Bro