[Bro] SMB copied files not showing in files.log

Seth Hall seth at corelight.com
Mon Oct 30 07:51:45 PDT 2017 

SMB is a complicated protocol.  Windows systems will frequently call 
open on remote files but not actually transfer any of the bytes of the 
file.  I think there may be several scenarios where they do that and I 
may not understand them all completely yet unfortunately.

Generally if some bytes of a file are transferred over SMB, that file 
will show up in files.log since files.log is meant to represent the 
actual transfer of files.  The confusion arising from the smb_cmds.log 
file (where you saw the SMB::FILE_OPEN command) is one of the many 
reasons that that log is disabled by default too.

Are you experiencing a case where you know that a file was actually 
transferred over SMB but you didn't see a corresponding entry in 
files.log?  If that's true, then I would really appreciate a pcap of the 
problem!  I would really like to know about any cases where that isn't 
working correctly.

Thanks,
   .Seth

On 30 Oct 2017, at 8:22, Vikram Basu wrote:

> Hi,
>
> So I am using the SMB plugin for Bro by loading in local.bro but it 
> seems to be very inconsistent.
> Often times when I am copying files between two windows machines over 
> the domain there is no corresponding file in the files.log.
> The smb_files.log itself seems to filled up with a lot of .ini files 
> as well and they all seem to have the “SMB::FILE_OPEN” action even 
> when I haven’t opened any of them.
> I thought I would use files showing source as SMB in files.log to 
> differentiate when files are actually copied over the network but 
> often times Bro does not detect the same.
> Is there any particular way I need to share the files in windows to 
> get the copied files to show up consistently in bro?
>
> Regards
>
> Vikram Basu


> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

--
Seth Hall * Corelight, Inc * www.corelight.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171030/4cbb24d1/attachment.html

More information about the Bro mailing list