[Bro] Fox-IT smb-ransomware bro script
erik clark
philosnef at gmail.com
Tue Sep 27 07:56:55 PDT 2016
2.5. I know smb is working, as I am getting smb_files and ntlm logs.
On Tue, Sep 27, 2016 at 10:55 AM, Vlad Grigorescu <vladg at illinois.edu>
wrote:
> What version of Bro are you running. This would only work on the Bro 2.5
> beta, or if you're using the SMB branch.
>
> erik clark <philosnef at gmail.com> writes:
>
> > Has anyone had any success with Fox-ITs smb-ransomware script?
> >
> > See:
> > https://github.com/fox-it/bro-scripts/blob/master/smb-
> ransomware/smb-ransomware.bro
> >
> > I am getting:
> >
> > error in ./smb-ransomware.bro, line 80: no such field in record
> > (FoxCryptoRansom::c$smb_state)
> > error in ./smb-ransomware.bro, line 84: no such field in record
> > (FoxCryptoRansom::c$smb_state)
> > error in ./smb-ransomware.bro, line 84: unknown identifier
> SMB::FILE_WRITE,
> > at or near "SMB::FILE_WRITE"
> >
> > I didn't want to open a github issue if there is a simple fix that I am
> > unaware of. Thanks!
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160927/60f68001/attachment.html
More information about the Bro
mailing list