[Bro] How to enable SMB analyzer in Bro 2.3?
Xiang Pan
xiangpan2011 at gmail.com
Tue Jul 22 16:16:52 PDT 2014
Hi All,
I'm a newbie for bro. Currently I'm working on a project which needs to
analyze smb traffic. I want to enable all the smb-related events so I
googled a little bit and tried with the following script:
##################SCRIPT BEGIN###############
*const smbports = {*
* 135/tcp, 137/tcp, 138/tcp, 139/tcp, 445/tcp*
*};*
*redef capture_filters += {*
* ["msrpc"] = "tcp port 135",*
* ["netbios-ns"] = "tcp port 137",*
* ["netbios-ds"] = "tcp port 138",*
* ["netbios"] = "tcp port 139",*
* ["smb"] = "tcp port 445"*
*};*
*redef dpd_config += { [Analyzer::ANALYZER_SMB] = [$ports = smbports] };*
*redef likely_server_ports += { 445/tcp };*
*redef record connection += {*
* smb: Info &optional;*
*};*
*#analyze smb data*
*event smb_com_read_andx(c: connection, hdr: smb_hdr, data: string){*
* print data;*
*}*
###################SCRIPT END################
Then I saved this file as smb_try.bro and executed command:
*bro -r ./smb.pcap -B dpd ./smb_try.bro*
However, bro gave me the following error message:
*"redef" used but not previously defined (dpd_config)*
It seems that bro can't find identifier *did_condig*. Am I missing some
scripts that need to be loaded in the beginning? What else should I do to
enable smb analyzer?
Best,
Xiang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140722/41fedcfe/attachment.html
More information about the Bro
mailing list