[Bro] smb analyzer does not seem to be enabled
erik clark
philosnef at gmail.com
Thu Sep 22 08:53:32 PDT 2016
AH ignore this! I am not getting any smb traffic I guess on this link, and
I had to explicitly call the smb analyzer:
bro -C -r $pcap /opt/bro/share/bro/policy/protocols/smb/__load__.bro
Thanks all, this works fantastic!
On Thu, Sep 22, 2016 at 11:49 AM, erik clark <philosnef at gmail.com> wrote:
> Hm. I enabled it in
>
> /opt/bro/share/bro/site/local.bro
>
> -> @load policy/protocols/smb
>
> and I ran a pcap with exclusively 445 port traffic, but got nothing back.
> The pcap is 70 megs big. (tcpdump -w pcap "port 445")
>
> I am trying to get output from smb2.pcap (included in Traces directory in
> the master branch), but that also does not produce any smb logs.
>
> bro -N shows -> Bro::SMB - SMB analyzer (built-in)
>
> so I am not sure why the entry in local.bro is apparently not causing smb
> events to fire? Thanks for your time!
>
> On Thu, Sep 22, 2016 at 10:54 AM, Azoff, Justin S <jazoff at illinois.edu>
> wrote:
>
>> local.bro:
>>
>> # Uncomment the following line to enable the SMB analyzer. The analyzer
>> # is currently considered a preview and therefore not loaded by default.
>> # @load policy/protocols/smb
>>
>> --
>> - Justin Azoff
>>
>> > On Sep 22, 2016, at 10:36 AM, erik clark <philosnef at gmail.com> wrote:
>> >
>> > Fresh built 25master, feeding bro a pcap with 445 traffic, no smb logs
>> produced. Do you need to explicitly enable it somewhere?
>> > _______________________________________________
>> > Bro mailing list
>> > bro at bro-ids.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160922/8f4db8e7/attachment.html
More information about the Bro
mailing list