[Bro] SMB connections
Robert Rotsted
rrotsted at gmail.com
Tue Dec 1 07:47:14 PST 2015
How big are the files that you are transferring?
What percentage loss are you seeing in you capture_loss log?
On Tue, Dec 1, 2015 at 4:43 AM Zied Turki <zied.turki at outlook.com> wrote:
> Hello,
>
> I have already set this variable to False.
> I have also tried some others scripts to log the SMB connections. I've got
> random log outputs : only few SMB connections were logged but not all of
> them..
>
> Many thanks,
>
> BR,
> Zied
>
> > Date: Mon, 30 Nov 2015 11:44:13 -0800
> > Subject: Re: [Bro] SMB connections
> > From: rrotsted at gmail.com
> > To: zied.turki at outlook.com
> > CC: bro at bro.org
>
> >
> > Hi Zied,
> >
> > By default, the Exfil framework will only attach to flows originated
> > by addresses in 10.0.0.0/8 that have a non-local responder.
> >
> > Try setting "ignore_local_dest_conn" to F in app-exfil-conn.bro.
> >
> > --bob
> >
> >
> > On Mon, Nov 30, 2015 at 2:48 AM, Zied Turki <zied.turki at outlook.com>
> wrote:
> > > Hello Bro Community,
> > >
> > > I am working on the data exfiltration and I have just tested the Exfil
> > > Framework.
> > > I have noticed, that the script failed to detect file uploads from the
> file
> > > server using SMB protocol. Looking to the connections logs (conn.log),
> the
> > > SMB connections are unfortunately not logged.
> > > Would it be a known issue ? or should I tune some params ?
> > > Please note that the trafic arrives to Bro machine (I have checked
> using
> > > tcpdump).
> > >
> > > Many thanks,
> > >
> > > BR,
> > > Zied
> > >
> > > _______________________________________________
> > > Bro mailing list
> > > bro at bro-ids.org
> > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151201/51afa676/attachment-0001.html
More information about the Bro
mailing list