[Bro] SMB connections

Zied Turki zied.turki at outlook.com
Tue Dec 1 08:33:12 PST 2015 

Hi,

I have tried with ~10MB and ~100 MB files.
Yes, I'm seeing some packet drop in the notice.log. I'll activate the packet_loss module to get the exact percentage. 


ps : I'm running 4 workers and everything seems to be ok so far : low cpu and memory usage.(the packet loss still exists...)

Regards,
Zied


From: rrotsted at gmail.com
Date: Tue, 1 Dec 2015 15:47:14 +0000
Subject: Re: [Bro] SMB connections
To: zied.turki at outlook.com
CC: bro at bro.org

How big are the files that you are transferring? 

What percentage loss are you seeing in you capture_loss log? 
On Tue, Dec 1, 2015 at 4:43 AM Zied Turki <zied.turki at outlook.com> wrote:






Hello,

I have already set this variable to False. 
I have also tried some others scripts to log the SMB connections. I've got random log outputs : only few SMB connections were logged but not all of them..

Many thanks,

BR,
Zied

> Date: Mon, 30 Nov 2015 11:44:13 -0800
> Subject: Re: [Bro] SMB connections
> From: rrotsted at gmail.com
> To: zied.turki at outlook.com
> CC: bro at bro.org
> 
> Hi Zied,
> 
> By default, the Exfil framework will only attach to flows originated
> by addresses in 10.0.0.0/8 that have a non-local responder.
> 
> Try setting "ignore_local_dest_conn" to F in app-exfil-conn.bro.
> 
> --bob
> 
> 
> On Mon, Nov 30, 2015 at 2:48 AM, Zied Turki <zied.turki at outlook.com> wrote:
> > Hello Bro Community,
> >
> > I am working on the data exfiltration and I have just tested the Exfil
> > Framework.
> > I have noticed, that the script failed to detect file uploads from the file
> > server using SMB protocol. Looking to the connections logs (conn.log), the
> > SMB connections are unfortunately not logged.
> > Would it be a known issue ? or should I tune some params ?
> > Please note that the trafic arrives to Bro machine (I have checked using
> > tcpdump).
> >
> > Many thanks,
> >
> > BR,
> > Zied
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151201/9fd9557d/attachment.html

More information about the Bro mailing list