[Bro] smb analyzer does not seem to be enabled
philosnef at gmail.com
Thu Sep 22 08:53:32 PDT 2016
AH ignore this! I am not getting any smb traffic I guess on this link, and
I had to explicitly call the smb analyzer:
bro -C -r $pcap /opt/bro/share/bro/policy/protocols/smb/__load__.bro
Thanks all, this works fantastic!
On Thu, Sep 22, 2016 at 11:49 AM, erik clark <philosnef at gmail.com> wrote:
> Hm. I enabled it in
> -> @load policy/protocols/smb
> and I ran a pcap with exclusively 445 port traffic, but got nothing back.
> The pcap is 70 megs big. (tcpdump -w pcap "port 445")
> I am trying to get output from smb2.pcap (included in Traces directory in
> the master branch), but that also does not produce any smb logs.
> bro -N shows -> Bro::SMB - SMB analyzer (built-in)
> so I am not sure why the entry in local.bro is apparently not causing smb
> events to fire? Thanks for your time!
> On Thu, Sep 22, 2016 at 10:54 AM, Azoff, Justin S <jazoff at illinois.edu>
>> # Uncomment the following line to enable the SMB analyzer. The analyzer
>> # is currently considered a preview and therefore not loaded by default.
>> # @load policy/protocols/smb
>> - Justin Azoff
>> > On Sep 22, 2016, at 10:36 AM, erik clark <philosnef at gmail.com> wrote:
>> > Fresh built 25master, feeding bro a pcap with 445 traffic, no smb logs
>> produced. Do you need to explicitly enable it somewhere?
>> > _______________________________________________
>> > Bro mailing list
>> > bro at bro-ids.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro