[Bro] smb analyzer does not seem to be enabled
Azoff, Justin S
jazoff at illinois.edu
Thu Sep 22 08:55:48 PDT 2016
How did you run the pcap file? If you just ran
bro -r foo.pcap
that does not load the local config, you need to use
bro local -r foo.pcap
or use `broctl process`.
- Justin Azoff
> On Sep 22, 2016, at 11:49 AM, erik clark <philosnef at gmail.com> wrote:
> Hm. I enabled it in
> -> @load policy/protocols/smb
> and I ran a pcap with exclusively 445 port traffic, but got nothing back. The pcap is 70 megs big. (tcpdump -w pcap "port 445")
> I am trying to get output from smb2.pcap (included in Traces directory in the master branch), but that also does not produce any smb logs.
> bro -N shows -> Bro::SMB - SMB analyzer (built-in)
> so I am not sure why the entry in local.bro is apparently not causing smb events to fire? Thanks for your time!
> On Thu, Sep 22, 2016 at 10:54 AM, Azoff, Justin S <jazoff at illinois.edu> wrote:
> # Uncomment the following line to enable the SMB analyzer. The analyzer
> # is currently considered a preview and therefore not loaded by default.
> # @load policy/protocols/smb
> - Justin Azoff
> > On Sep 22, 2016, at 10:36 AM, erik clark <philosnef at gmail.com> wrote:
> > Fresh built 25master, feeding bro a pcap with 445 traffic, no smb logs produced. Do you need to explicitly enable it somewhere?
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro