[Zeek] Question on Zeek SMB Logs and action "SMB::FILE OPEN"
security devops
jackjill77777 at gmail.com
Tue Jun 16 01:27:42 PDT 2020
Hi
I'm running Security Onion with Zeek 3.0.7.
I have a client accessing a NAS. Whenever a client accesses a folder
containing executables, Zeek will detect a "bro_smb_files" event type for
all the executable in the folder, even though the client did not open these
executables.
There would be an action of "SMB::FILE OPEN" for all these executables and
it would be extracted to the "nsm/bro/extracted" folder.
Is this the default behaviour as it seems odd that the files are extracted
even though they did not cross the wire?
I'm also a little confused over "SMB::FILE OPEN" action when I referenced
Zeek documentation. Does it mean the file was "open" even though the client
only accessed the mapped folder?
The follow up question on this would be forensic integrity of the files.
Would this weird SMB behavior affect the "access" date of the file (I am
referring to MACB dates of file).
thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200616/96787228/attachment.html
More information about the Zeek
mailing list