[Bro] Extracting files transferred over smb
Hosom, Stephen M
hosom at battelle.org
Tue Oct 17 11:48:07 PDT 2017
File extraction over SMB should be fairly trivial. In fact, there's nothing limiting the plugin from doing it currently. Any of the extracted filetypes will be extracted regardless of protocol or direction--so long as Bro sees a file and it matches the extraction 'policy' configured in the plugin.
If you wanted to find files specifically being extracted from SMB, look in your files.log for entries where the source field is SMB and the extracted value isn't unset (which by default is "-").
If you're interested in a plugin that specifically targets files transferred over SMB... I could see the usefulness of that and would gladly write it sometime in the next couple nights.
From: bro-bounces at bro.org <bro-bounces at bro.org> on behalf of Vikram Basu <vikrambasu059 at gmail.com>
Sent: Tuesday, October 17, 2017 1:49:13 PM
To: bro at bro.org
Subject: [Bro] Extracting files transferred over smb
Message received from outside the Battelle network. Carefully examine it before you open any links or attachments.
Using hosom’s excellent file-extraction module for Bro, I am able to extract files transferred over FTP and HTTP. I am left wondering if however there is a way to extract files transferred over SMB as well. Bro already can track smb files from what I understand. How difficult would it be to extract files transferred over smb currently ?
Also I lack any accessible SMTP server at the moment so I have to ask can bro extract files transferred over SMTP as well ?
More information about the Bro