[Bro] Help enabling SMB protocol detection

[Will Hawkins]

Well, I've figured out my own problem. Sorry to be so dense.

It turns out that the packaged version of bro for Ubuntu has built-in
support for SMB but it does not have any of the attendant protocol or
policy files. I built bro from git to make sure that everything was
up-to-date and had success.

Once you get the right bro version, the only step of enabling SMB
protocol analysis is to follow the comments in the local.bro file and
uncomment and single line:

# @load policy/protocols/smb

Once that's uncommented, everything works great! Again, sorry about
the previous question.

Thanks for being such an inviting and helpful community for the bro
users. It's a great tool and having a great community is icing on the
cake!

Will


On Mon, Aug 6, 2018 at 2:29 PM, Will Hawkins <whh8b at virginia.edu> wrote:
> Hello Bro Community!
>
> First, let me apologize for asking a very dumb question. I have
> sincerely tried to RTFM and I have done my research (Google, right/)
> but cannot seem to find the answer. I am attempting to analyize a pcap
> file that contains lots of SMB traffic using bro. I have a version of
> bro with built-in SMB protocol support:
>
> $ bro -n Bro::SMB
> Bro::SMB - SMB analyzer (built-in)
>
> That said, when I run
>
> bro -C -r ../XXX.pcapng
>
> I do not get a smb.log. That leads me to believe that SMB analysis is
> not enabled. I've tried looking for bro files in /usr/share/protocols/
> (etc) and cannot seem to find any. Editing a bro config file and
> adding
>
> @load base/protocols/smb
>
> gives me an error on bro startup.
>
> Can you tell me what stupid thing I am doing wrong? Thank you very
> much for your help. Again, I am sorry that this is such a silly
> question. I wish that I could answer it on my own!
>
> Will