[Bro] SMB connections

Vlad Grigorescu vladg at illinois.edu
Mon Nov 30 09:08:17 PST 2015


The Exfil Framework is developed by someone from Reservoir Labs. Please
contact them with any questions.

That being said, note that SMB support in Bro is a best-effort
implementation of part of the specification (and very different from
what's actually seen on the wire), so detecting exfil over SMB likely
won't work at all.


Zied Turki <zied.turki at outlook.com> writes:

> Hello Bro Community,
> I am working on the data exfiltration and I have just tested the Exfil Framework. 
> I have noticed, that the script failed to detect file uploads from the file server using SMB protocol. Looking to the connections logs (conn.log), the SMB connections are unfortunately not logged. 
> Would it be a known issue ? or should I tune some params ? 
> Please note that the trafic arrives to Bro machine (I have checked using tcpdump). 
> Many thanks,
> BR,
> Zied
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151130/d4c05488/attachment.bin 

More information about the Bro mailing list