[Bro] SMB files log

Yi Sun yisun at heliosdata.com
Thu Nov 29 18:32:43 PST 2018


Here is what happened in my env, I can see the smb_file.log if I use smbclient from Linux. But when I do mount, I don't see the log. I'm not expert on this, and it is only what I see.
Yi

On 11/29/18, 5:05 PM, "bro-bounces at bro.org on behalf of Johanna Amann" <bro-bounces at bro.org on behalf of johanna at icir.org> wrote:

    Hi Luk,
    
    On Thu, Nov 29, 2018 at 09:00:29AM +0000, Luk Schoonaert wrote:
    > I enabled /opt/bro/share/bro/site/local.bro -> @load policy/protocols/smb
    > 
    > Running BRO 2.5.1 - I never get the smb_file.log, I do get these:
    
    First the thing I have to say - please update to 2.5.5. There are only
    minor changes to 2.5.1 and a lot of fixed security issues.
    
    Or - consider upgrading to 2.6 (which admittedly has a bunch of changes). 
    
    > smb_cmd.log
    > smb_mapping.log
    > 
    > When I copy a file over SMB I;d expect ths smb_files.log to be populated
    > - I’m sure I’m missing something very simple, anyone have an idea?
    
    I think you are right and that it should typically be logged.
    
    There are 2 ways that I would start debugging this. First - if possible,
    make a pcap of an operation that you would expect to create the
    smb_files.log.
    
    Run that through bro, and see if it is there now; if not, take a look at
    smb_cmd.log and look if you can find activity that corresponds to the file
    copying in there.
    
    Johanna
    _______________________________________________
    Bro mailing list
    bro at bro-ids.org
    http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro




More information about the Bro mailing list