[Bro] Fox-IT smb-ransomware bro script

[Liam Randall]

base is loaded by default

policy needs to be loaded as a matter of your organizations policy

On Tue, Sep 27, 2016 at 11:09 AM, erik clark <philosnef at gmail.com> wrote:

> Aha! Line 2 says:
>
> @load base/protocols/smb
>
> I added
>
> @load policy/protocols/smb
>
> and it worked. Any idea why my smb stuff is in policy/protocols and not
> base/protocols?
>
> On Tue, Sep 27, 2016 at 10:56 AM, erik clark <philosnef at gmail.com> wrote:
>
>> 2.5. I know smb is working, as I am getting smb_files and ntlm logs.
>>
>> On Tue, Sep 27, 2016 at 10:55 AM, Vlad Grigorescu <vladg at illinois.edu>
>> wrote:
>>
>>> What version of Bro are you running. This would only work on the Bro 2.5
>>> beta, or if you're using the SMB branch.
>>>
>>> erik clark <philosnef at gmail.com> writes:
>>>
>>> > Has anyone had any success with Fox-ITs smb-ransomware script?
>>> >
>>> > See:
>>> > https://github.com/fox-it/bro-scripts/blob/master/smb-ransom
>>> ware/smb-ransomware.bro
>>> >
>>> > I am getting:
>>> >
>>> > error in ./smb-ransomware.bro, line 80: no such field in record
>>> > (FoxCryptoRansom::c$smb_state)
>>> > error in ./smb-ransomware.bro, line 84: no such field in record
>>> > (FoxCryptoRansom::c$smb_state)
>>> > error in ./smb-ransomware.bro, line 84: unknown identifier
>>> SMB::FILE_WRITE,
>>> > at or near "SMB::FILE_WRITE"
>>> >
>>> > I didn't want to open a github issue if there is a simple fix that I am
>>> > unaware of. Thanks!
>>> > _______________________________________________
>>> > Bro mailing list
>>> > bro at bro-ids.org
>>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>
>>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160927/4f65faa6/attachment.html