[Bro] SMB files log
Johanna Amann
johanna at icir.org
Thu Nov 29 16:52:36 PST 2018
Hi Luk,
On Thu, Nov 29, 2018 at 09:00:29AM +0000, Luk Schoonaert wrote:
> I enabled /opt/bro/share/bro/site/local.bro -> @load policy/protocols/smb
>
> Running BRO 2.5.1 - I never get the smb_file.log, I do get these:
First the thing I have to say - please update to 2.5.5. There are only
minor changes to 2.5.1 and a lot of fixed security issues.
Or - consider upgrading to 2.6 (which admittedly has a bunch of changes).
> smb_cmd.log
> smb_mapping.log
>
> When I copy a file over SMB I;d expect ths smb_files.log to be populated
> - I’m sure I’m missing something very simple, anyone have an idea?
I think you are right and that it should typically be logged.
There are 2 ways that I would start debugging this. First - if possible,
make a pcap of an operation that you would expect to create the
smb_files.log.
Run that through bro, and see if it is there now; if not, take a look at
smb_cmd.log and look if you can find activity that corresponds to the file
copying in there.
Johanna
More information about the Bro
mailing list