[Bro] How to enable SMB analyzer in Bro 2.3?

Mike Kolkebeck mkolkebeck at gmail.com
Tue Jul 22 20:48:22 PDT 2014 

Assuming you're working in Bro 2.2 or 2.3, activating analyzers is much different than in previous versions.

You should remove these lines:
> redef dpd_config += { [Analyzer::ANALYZER_SMB] = [$ports = smbports] };
> 


And add this code:

event bro_init() &priority=5
{
Analyzer::register_for_ports(Analyzer::ANALYZER_SMB, smbports);
}

With that said, and to my knowledge, the SMB analyzer is still not in a complete, working state. Anyone, please correct me if I am wrong. I'd look forward to seeing if anyone, or the core development team, can make improvements on it. Seth did work on a 2.1 development branch, but this no longer seems to be functioning for the latest stable releases.


> On Jul 22, 2014, at 6:16 PM, Xiang Pan <xiangpan2011 at gmail.com> wrote:
> 
> Hi All,
> 
> I'm a newbie for bro. Currently I'm working on a project which needs to analyze smb traffic. I want to enable all the smb-related events so I googled a little bit and tried with the following script:
> 
> 
> 
> ##################SCRIPT BEGIN###############
> 
> const smbports = {
> 
> 135/tcp, 137/tcp, 138/tcp, 139/tcp, 445/tcp
> 
> };
> 
> redef capture_filters += {
> 
> ["msrpc"] = "tcp port 135",
> 
> ["netbios-ns"] = "tcp port 137",
> 
> ["netbios-ds"] = "tcp port 138",
> 
> ["netbios"] = "tcp port 139",
> 
> ["smb"] = "tcp port 445"
> 
> };
> 
> redef dpd_config += { [Analyzer::ANALYZER_SMB] = [$ports = smbports] };
> 
> redef likely_server_ports += { 445/tcp };
> 
> redef record connection += {
> 
> smb: Info &optional;
> 
> };
> 
> 
> 
> #analyze smb data
> 
> event smb_com_read_andx(c: connection, hdr: smb_hdr, data: string){
> 
> print data;
> 
> }
> 
> ###################SCRIPT END################
> 
> 
> 
> 
> 
> Then I saved this file as smb_try.bro and executed command:
> 
> bro -r ./smb.pcap -B dpd ./smb_try.bro
> 
> 
> 
> However, bro gave me the following error message: 
> 
> "redef" used but not previously defined (dpd_config)
> 
> 
> 
> It seems that bro can't find identifier did_condig. Am I missing some scripts that need to be loaded in the beginning? What else should I do to enable smb analyzer?
> 
> 
> 
> Best,
> 
> Xiang
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140722/843a045b/attachment.html

More information about the Bro mailing list