seth at corelight.com
Mon May 15 13:48:36 PDT 2017
> On May 15, 2017, at 12:11 AM, william de ping <bill.de.ping at gmail.com> wrote:
> in share/bro/policy/protocols/smb/main.smb
> look for write_cmd_log =F, if you change it to T, it will start the printing.
As a small addendum; that log probably isn't very useful. It was mostly created to be used during development because it logs every single SMB cmd that is seen (and there are *lots* of SMB cmd messages sent around).
Seth Hall * Corelight, Inc * seth at corelight.com * www.corelight.com
More information about the Bro