[Bro] R: SMB copied files not showing in files.log

Rinaldi Stefano stefano.rinaldi at aizoongroup.com
Thu Nov 9 02:11:26 PST 2017

Hi all, I and my colleagues have identified a scenario where one or more files are read without any real intention from the client (user or process). We have found that the presence of an Antivirus (AV) product (in our case: Sophos Endpoint Security and Control) have a considerable influence on SMB traffic and Bro log entries. The AV implies that all the files present in the selected remote directory are partially read and this leads to spurious entries in Bro SMB log files.

Da: bro-bounces at bro.org [mailto:bro-bounces at bro.org] Per conto di Seth Hall
Inviato: lunedì 30 ottobre 2017 15:52
A: Vikram Basu <vikrambasu059 at gmail.com>
Cc: bro at bro.org
Oggetto: Re: [Bro] SMB copied files not showing in files.log

SMB is a complicated protocol. Windows systems will frequently call open on remote files but not actually transfer any of the bytes of the file. I think there may be several scenarios where they do that and I may not understand them all completely yet unfortunately.

Generally if some bytes of a file are transferred over SMB, that file will show up in files.log since files.log is meant to represent the actual transfer of files. The confusion arising from the smb_cmds.log file (where you saw the SMB::FILE_OPEN command) is one of the many reasons that that log is disabled by default too.

Are you experiencing a case where you know that a file was actually transferred over SMB but you didn't see a corresponding entry in files.log? If that's true, then I would really appreciate a pcap of the problem! I would really like to know about any cases where that isn't working correctly.


On 30 Oct 2017, at 8:22, Vikram Basu wrote:


So I am using the SMB plugin for Bro by loading in local.bro but it seems to be very inconsistent.

Often times when I am copying files between two windows machines over the domain there is no corresponding file in the files.log.

The smb_files.log itself seems to filled up with a lot of .ini files as well and they all seem to have the “SMB::FILE_OPEN” action even when I haven’t opened any of them.

I thought I would use files showing source as SMB in files.log to differentiate when files are actually copied over the network but often times Bro does not detect the same.

Is there any particular way I need to share the files in windows to get the copied files to show up consistently in bro?


Vikram Basu

Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>

Seth Hall * Corelight, Inc * www.corelight.com<http://www.corelight.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171109/79141cde/attachment.html 

More information about the Bro mailing list