bro files - network drive

Vlad_Grigorescu3 · May 16, 2017, 4:43pm

Izik Birka <Izik.Birka@hot.net.il> writes:

Why when I only search file in network drive all the files in the
network drive are written to files.log ?

I'm assuming you mean over SMB? More data than just file transfers is
logged because it can be useful for incident response.

How can I detect a real file transfer ?

Take a look at the total_bytes and seen_bytes fields.

--Vlad

Izik_Birka · May 17, 2017, 9:03am

hi
YES , over smb
my problem is when I searching files on file server all the files are written to files.log (include total_bytes and seen_bytes data)
and because of that I can't distinguish between search on file server and copy files from the file server

any suggestion ?

thanks

Topic		Replies	Views
bro files - network drive Zeek	1	86	May 6, 2022
SMB copied files not showing in files.log Zeek	4	91	May 6, 2022
lack of seen_bytes Zeek	2	115	May 6, 2022
Extracting files transferred over smb Zeek	2	149	May 6, 2022
[EXT] Question on Zeek SMB Logs and action "SMB::FILE OPEN" Zeek	3	115	May 6, 2022

bro files - network drive

Related topics