[Bro] smb analyzer does not seem to be enabled
philosnef at gmail.com
Thu Sep 22 08:49:44 PDT 2016
Hm. I enabled it in
-> @load policy/protocols/smb
and I ran a pcap with exclusively 445 port traffic, but got nothing back.
The pcap is 70 megs big. (tcpdump -w pcap "port 445")
I am trying to get output from smb2.pcap (included in Traces directory in
the master branch), but that also does not produce any smb logs.
bro -N shows -> Bro::SMB - SMB analyzer (built-in)
so I am not sure why the entry in local.bro is apparently not causing smb
events to fire? Thanks for your time!
On Thu, Sep 22, 2016 at 10:54 AM, Azoff, Justin S <jazoff at illinois.edu>
> # Uncomment the following line to enable the SMB analyzer. The analyzer
> # is currently considered a preview and therefore not loaded by default.
> # @load policy/protocols/smb
> - Justin Azoff
> > On Sep 22, 2016, at 10:36 AM, erik clark <philosnef at gmail.com> wrote:
> > Fresh built 25master, feeding bro a pcap with 445 traffic, no smb logs
> produced. Do you need to explicitly enable it somewhere?
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro