[Bro] SMB

Johanna Amann johanna at icir.org
Fri Mar 3 15:34:31 PST 2017


Hi,

I might be mistaken here, but I think that datastreams in smb can use
multiple tcp connections. For individual files, you should be able to look
at files log; if you want an aggregate, you will probably have to script
that yourself.

Johanna

On Thu, Feb 16, 2017 at 07:35:58AM +0000, Izik Birka wrote:
> Hi
> Any idea ?
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> From: Izik Birka
> Sent: Tuesday, February 14, 2017 9:15 AM
> To: 'Martin, Eric J' <ejmartin2 at wpi.edu>
> Subject: RE: SMB
> 
> Hi
> I enable them and it's great but I'm looking for SMB bytes statistics , like in conn.log file
> For example if someone downloaded 300 MB with SMB protocol (form network share) , is there any file that hold this statistics  ?
> 
> with http protocol , I can find it in conn.log file
> 
> 
> thanks
> 
> 
> 
> From: Martin, Eric J [mailto:ejmartin2 at wpi.edu]
> Sent: Tuesday, February 14, 2017 12:09 AM
> To: Izik Birka <Izik.Birka at hot.net.il<mailto:Izik.Birka at hot.net.il>>
> Subject: Re: SMB
> 
> 
> There's smb_files and smb_mappings that need to be enabled.  When you say 'stats', what are you looking for?
> 
> 
> --
> 
> Eric Martin
> 
> ejmartin2 at wpi.edu<mailto:ejmartin2 at wpi.edu>
> 
> 
> Information Security Analyst
> 
> Office: (508) 831-6070
> 
> 
> Worcester Polytechnic Institute
> 
> www.wpi.edu<http://www.wpi.edu>
> 
> PGP: C74F 1EBF 2E80 7984 8CB5  064E BF17 D34C C704 B30F
> For security purposes, this message has been double ROT13 encoded
> 
> ________________________________
> From: bro-bounces at bro.org<mailto:bro-bounces at bro.org> <bro-bounces at bro.org<mailto:bro-bounces at bro.org>> on behalf of Izik Birka <Izik.Birka at hot.net.il<mailto:Izik.Birka at hot.net.il>>
> Sent: Monday, February 13, 2017 3:34:29 AM
> To: bro at bro.org<mailto:bro at bro.org>
> Subject: [Bro] SMB
> 
> Hi
> Is there any logs that contains SMB stats ? why conn.log doesn't contains SMB connection ?
> 
> I have bro 2.5
> 
> Thanks
> Izik Birka
> 
> 
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain materials protected by copyright or information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or agreement. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication by error, notify the sender immediately and delete this message immediately. Thank you.
> 
> This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain materials protected by copyright or information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or agreement.
> 
> If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication by error, notify the sender immediately and delete this message immediately.
> 
> Thank you.

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



More information about the Bro mailing list