BRO - Ransomware

Raj_Kumar · May 26, 2017, 7:02pm

Hi All,

If am trying to add smb-ransomware.bro , to my bro setup ,where should I include this in the bro directories.

root@csh:/home/raj# find / -name “smb”
/nsm/bro/share/bro/policy/protocols/smb
/nsm/bro/share/bro/base/protocols/smb
/opt/bro/bro-2.5/testing/btest/Traces/smb
/opt/bro/bro-2.5/testing/btest/scripts/base/protocols/smb
/opt/bro/bro-2.5/scripts/policy/protocols/smb
/opt/bro/bro-2.5/scripts/base/protocols/smb
/opt/bro/bro-2.5/build/src/analyzer/protocol/smb
/opt/bro/bro-2.5/src/analyzer/protocol/smb

and after this I can include in local.bro, @load policy/protocols/smb

Thanks,

johanna · May 30, 2017, 5:22pm

Typically user scripts to into site. Looking at the smb ransomware script,
you will probably also need to modify it slightly so it loads
policy/protocols/smb instead of base/protocols/smb.

You should be able to directly load it from local.bro if it in in the
site directory.

Johanna

Topic		Replies	Views
Compatibilty script for policy/protocols/smb? Development development	3	104	May 6, 2022
Ransomware Zeek	1	87	May 6, 2022
"hash-all-files", er, doesn't? Zeek	5	70	May 6, 2022
useful *.bro files repository? Zeek	1	50	May 6, 2022
Adding SSL certs to Bro 2.0 Zeek	12	90	May 6, 2022

BRO - Ransomware

Related Topics