[Bro] SMB files log
yisun at heliosdata.com
Thu Nov 29 18:32:43 PST 2018
Here is what happened in my env, I can see the smb_file.log if I use smbclient from Linux. But when I do mount, I don't see the log. I'm not expert on this, and it is only what I see.
On 11/29/18, 5:05 PM, "bro-bounces at bro.org on behalf of Johanna Amann" <bro-bounces at bro.org on behalf of johanna at icir.org> wrote:
On Thu, Nov 29, 2018 at 09:00:29AM +0000, Luk Schoonaert wrote:
> I enabled /opt/bro/share/bro/site/local.bro -> @load policy/protocols/smb
> Running BRO 2.5.1 - I never get the smb_file.log, I do get these:
First the thing I have to say - please update to 2.5.5. There are only
minor changes to 2.5.1 and a lot of fixed security issues.
Or - consider upgrading to 2.6 (which admittedly has a bunch of changes).
> When I copy a file over SMB I;d expect ths smb_files.log to be populated
> - I’m sure I’m missing something very simple, anyone have an idea?
I think you are right and that it should typically be logged.
There are 2 ways that I would start debugging this. First - if possible,
make a pcap of an operation that you would expect to create the
Run that through bro, and see if it is there now; if not, take a look at
smb_cmd.log and look if you can find activity that corresponds to the file
copying in there.
Bro mailing list
bro at bro-ids.org
More information about the Bro