[Bro] smb_cmd.log

Seth Hall seth at corelight.com
Mon May 15 13:48:36 PDT 2017


> On May 15, 2017, at 12:11 AM, william de ping <bill.de.ping at gmail.com> wrote:
> 
> in share/bro/policy/protocols/smb/main.smb
> look for write_cmd_log =F, if you change it to T, it will start the printing.

As a small addendum; that log probably isn't very useful.  It was mostly created to be used during development because it logs every single SMB cmd that is seen (and there are *lots* of SMB cmd messages sent around).

  .Seth

--
Seth Hall * Corelight, Inc * seth at corelight.com * www.corelight.com




More information about the Bro mailing list