[Bro] Fox-IT smb-ransomware bro script
erik clark
philosnef at gmail.com
Tue Sep 27 08:09:45 PDT 2016
Aha! Line 2 says:
@load base/protocols/smb
I added
@load policy/protocols/smb
and it worked. Any idea why my smb stuff is in policy/protocols and not
base/protocols?
On Tue, Sep 27, 2016 at 10:56 AM, erik clark <philosnef at gmail.com> wrote:
> 2.5. I know smb is working, as I am getting smb_files and ntlm logs.
>
> On Tue, Sep 27, 2016 at 10:55 AM, Vlad Grigorescu <vladg at illinois.edu>
> wrote:
>
>> What version of Bro are you running. This would only work on the Bro 2.5
>> beta, or if you're using the SMB branch.
>>
>> erik clark <philosnef at gmail.com> writes:
>>
>> > Has anyone had any success with Fox-ITs smb-ransomware script?
>> >
>> > See:
>> > https://github.com/fox-it/bro-scripts/blob/master/smb-ransom
>> ware/smb-ransomware.bro
>> >
>> > I am getting:
>> >
>> > error in ./smb-ransomware.bro, line 80: no such field in record
>> > (FoxCryptoRansom::c$smb_state)
>> > error in ./smb-ransomware.bro, line 84: no such field in record
>> > (FoxCryptoRansom::c$smb_state)
>> > error in ./smb-ransomware.bro, line 84: unknown identifier
>> SMB::FILE_WRITE,
>> > at or near "SMB::FILE_WRITE"
>> >
>> > I didn't want to open a github issue if there is a simple fix that I am
>> > unaware of. Thanks!
>> > _______________________________________________
>> > Bro mailing list
>> > bro at bro-ids.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160927/174144bd/attachment.html
More information about the Bro
mailing list