[Bro] Intel::FILE_NAME and SMB_files behavior questions
Seth Hall
seth at corelight.com
Thu Apr 5 06:16:47 PDT 2018
On 31 Mar 2018, at 18:14, James Gordon wrote:
> I have a few questions on behavioral issues with the intel framework
> and SMB / SMB file logging:
>
> 1. I’m not sure if this is expected behavior or not, but it
> doesn’t look like filenames parsed in smb_files.log are properly
> being logged in files.log.
I checked in our autogenerated documentation and I'm now noticing a
glaring lack of documentation about *what* that log represents. :(
That log is meant to represent that an action against a file was seen.
Considering that since SMB is a file system protocol you will see a lot
of actions that aren't necessarily file transfers. Most of what I've
typically seen in smb_files.log is files being opened. This seems be a
very common action in SMB, I don't know all of the reasons that an
application might open a file but not read nor write to it but it's
definitely seen a lot. I think that it could be a way for the client to
get a timestamp for a remote file or other metadata. Other actions that
fits into that log are file renames and deletes. File renames are
represented through the "name" and "prev_name" fields. Deletes just
give the name of the file before it was deleted.
The important field to look at is the "action" field since that's where
the log tells you what the client was actually doing. Here are all of
the potential actions that you will typically see there...
FILE_OPEN,
FILE_RENAME,
FILE_DELETE,
If you wanted, you could add FILE_CLOSE as action that you want logged
if you add this to your local.bro (I chose to leave this out by default
since it didn't seem to provide much extra context, but had a great
increase in log size)...
redef SMB::logged_file_actions += { SMB::FILE_CLOSE };
You could also have it include FILE_WRITE and FILE_READ, but those are
really not great to include and lead to a massive increase in log size
but I felt like transfers were better represented through the files.log
anyway. Generally if data is seen as being transferred that will be
represented in files.log since that's the aggregation point for all
"files" seen by Bro. smb_files.log can be really helpful if you need to
know when someone is poking around at files even if they aren't
transferring them and there is a lot of information there that can be
useful forensically (MAC times being the big one in my mind).
If you have thoughts on other SMB logs that you'd like to see or if you
have thoughts on extensions to the smb_files.log I'd love to hear them!
There is definitely no right or wrong answer to what should be in those
logs or even what logs should exist.
.Seth
--
Seth Hall * Corelight, Inc * www.corelight.com
More information about the Bro
mailing list