[Bro] bro files - network drive

Izik Birka Izik.Birka at hot.net.il
Wed May 17 02:03:05 PDT 2017

YES , over smb
my problem is when I  searching files on file server all the files are written to files.log (include total_bytes and seen_bytes data) 
and because of that I can't distinguish between search on file server and copy files from the file server

any suggestion ?



-----Original Message-----
From: Vlad Grigorescu [mailto:vladg at illinois.edu] 
Sent: Tuesday, May 16, 2017 7:44 PM
To: Izik Birka <Izik.Birka at hot.net.il>; bro at bro.org
Subject: Re: [Bro] bro files - network drive

Izik Birka <Izik.Birka at hot.net.il> writes:

> Why when I only search file in network drive all the files in the 
> network drive are written to files.log ?

I'm assuming you mean over SMB? More data than just file transfers is logged because it can be useful for incident response.

> How can I detect a real file transfer ?

Take a look at the total_bytes and seen_bytes fields.


This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain materials protected by copyright or information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or agreement.

If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication by error, notify the sender immediately and delete this message immediately.

Thank you.

More information about the Bro mailing list