[Bro] Help enabling SMB protocol detection

Will Hawkins whh8b at virginia.edu
Mon Aug 13 12:29:35 PDT 2018


I figured that the problem was largely related to the fact that the LTS
distribution I was using had an outdated version of bro. Thank you for
confirming. Like I said, once I get 18.04 LTS installed, I will run this
little experiment again and make sure that everything "just works" with the
latest distribution. If there are still problems, we can tackle them then.

Thanks again for following up!

Will


2018-08-13 10:03 GMT-04:00 Azoff, Justin S <jazoff at illinois.edu>:

>
> > On Aug 12, 2018, at 11:53 PM, Will Hawkins <whh8b at virginia.edu> wrote:
> >
> > On Ubuntu 16.04 LTS, I have
> >
> > $ bro --version
> > bro version 2.4.1
>
> ah.. SMB support was part of 2.5.  2.4.1 only had a few events and not the
> full analyzer.
>
> Ubuntu 18.0.4 (bionic) has 2.5.3 and has the expected files:
>
> $ curl -s https://packages.ubuntu.com/xenial/all/bro-common/filelist|grep
> -i smb
> /usr/share/bro/base/bif/plugins/Bro_SMB.events.bif.bro
>
>
> $ curl -s https://packages.ubuntu.com/bionic/all/bro-common/filelist|grep
> -i smb
> /usr/share/bro/base/bif/plugins/Bro_SMB.consts.bif.bro
> /usr/share/bro/base/bif/plugins/Bro_SMB.events.bif.bro
> /usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_check_directory.bif.bro
> /usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_close.bif.bro
> /usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_create_directory.bif.bro
> /usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_echo.bif.bro
> /usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_logoff_andx.bif.bro
> /usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_negotiate.bif.bro
> /usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_nt_cancel.bif.bro
> /usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_nt_create_andx.bif.bro
> /usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_query_information.bif.bro
> /usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_read_andx.bif.bro
> /usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_
> session_setup_andx.bif.bro
> /usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_transaction.bif.bro
> /usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_transaction2.bif.bro
> /usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_tree_connect_andx.bif.bro
> /usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_tree_disconnect.bif.bro
> /usr/share/bro/base/bif/plugins/Bro_SMB.smb1_com_write_andx.bif.bro
> /usr/share/bro/base/bif/plugins/Bro_SMB.smb1_events.bif.bro
> /usr/share/bro/base/bif/plugins/Bro_SMB.smb2_com_close.bif.bro
> /usr/share/bro/base/bif/plugins/Bro_SMB.smb2_com_create.bif.bro
> /usr/share/bro/base/bif/plugins/Bro_SMB.smb2_com_negotiate.bif.bro
> /usr/share/bro/base/bif/plugins/Bro_SMB.smb2_com_read.bif.bro
> /usr/share/bro/base/bif/plugins/Bro_SMB.smb2_com_session_setup.bif.bro
> /usr/share/bro/base/bif/plugins/Bro_SMB.smb2_com_set_info.bif.bro
> /usr/share/bro/base/bif/plugins/Bro_SMB.smb2_com_tree_connect.bif.bro
> /usr/share/bro/base/bif/plugins/Bro_SMB.smb2_com_tree_disconnect.bif.bro
> /usr/share/bro/base/bif/plugins/Bro_SMB.smb2_com_write.bif.bro
> /usr/share/bro/base/bif/plugins/Bro_SMB.smb2_events.bif.bro
> /usr/share/bro/base/bif/plugins/Bro_SMB.types.bif.bro
> /usr/share/bro/base/protocols/smb/__load__.bro
> /usr/share/bro/base/protocols/smb/const-dos-error.bro
> /usr/share/bro/base/protocols/smb/const-nt-status.bro
> /usr/share/bro/base/protocols/smb/consts.bro
> /usr/share/bro/policy/protocols/smb/__load__.bro
> /usr/share/bro/policy/protocols/smb/dpd.sig
> /usr/share/bro/policy/protocols/smb/files.bro
> /usr/share/bro/policy/protocols/smb/main.bro
> /usr/share/bro/policy/protocols/smb/smb1-main.bro
> /usr/share/bro/policy/protocols/smb/smb2-main.bro
>
>
>> Justin Azoff
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180813/66189ede/attachment.html 


More information about the Bro mailing list