[Bro] Help enabling SMB protocol detection

Johanna Amann johanna at icir.org
Sun Aug 12 17:57:43 PDT 2018 

On Mon, Aug 06, 2018 at 04:20:13PM -0400, Will Hawkins wrote:
> Well, I've figured out my own problem. Sorry to be so dense.
> 
> It turns out that the packaged version of bro for Ubuntu has built-in
> support for SMB but it does not have any of the attendant protocol or
> policy files. I built bro from git to make sure that everything was
> up-to-date and had success.

Out of curiosity - Is that the Bro version that ships with Ubuntu (as
opposed to the packages that we provide)?

If yes, we should probably contact the Ubuntu folks and tell them that
that is not that great :)

Johanna

> 
> Once you get the right bro version, the only step of enabling SMB
> protocol analysis is to follow the comments in the local.bro file and
> uncomment and single line:
> 
> # @load policy/protocols/smb
> 
> Once that's uncommented, everything works great! Again, sorry about
> the previous question.
> 
> Thanks for being such an inviting and helpful community for the bro
> users. It's a great tool and having a great community is icing on the
> cake!
> 
> Will
> 
> 
> On Mon, Aug 6, 2018 at 2:29 PM, Will Hawkins <whh8b at virginia.edu> wrote:
> > Hello Bro Community!
> >
> > First, let me apologize for asking a very dumb question. I have
> > sincerely tried to RTFM and I have done my research (Google, right/)
> > but cannot seem to find the answer. I am attempting to analyize a pcap
> > file that contains lots of SMB traffic using bro. I have a version of
> > bro with built-in SMB protocol support:
> >
> > $ bro -n Bro::SMB
> > Bro::SMB - SMB analyzer (built-in)
> >
> > That said, when I run
> >
> > bro -C -r ../XXX.pcapng
> >
> > I do not get a smb.log. That leads me to believe that SMB analysis is
> > not enabled. I've tried looking for bro files in /usr/share/protocols/
> > (etc) and cannot seem to find any. Editing a bro config file and
> > adding
> >
> > @load base/protocols/smb
> >
> > gives me an error on bro startup.
> >
> > Can you tell me what stupid thing I am doing wrong? Thank you very
> > much for your help. Again, I am sorry that this is such a silly
> > question. I wish that I could answer it on my own!
> >
> > Will
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>

More information about the Bro mailing list