Hi,
Using hosom’s excellent file-extraction module for Bro, I am able to extract files transferred over FTP and HTTP. I am left wondering if however there is a way to extract files transferred over SMB as well. Bro already can track smb files from what I understand. How difficult would it be to extract files transferred over smb currently ?
Also I lack any accessible SMTP server at the moment so I have to ask can bro extract files transferred over SMTP as well ?
Regards
Vikram Basu
File extraction over SMB should be fairly trivial. In fact, there's nothing limiting the plugin from doing it currently. Any of the extracted filetypes will be extracted regardless of protocol or direction--so long as Bro sees a file and it matches the extraction 'policy' configured in the plugin.
If you wanted to find files specifically being extracted from SMB, look in your files.log for entries where the source field is SMB and the extracted value isn't unset (which by default is "-").
If you're interested in a plugin that specifically targets files transferred over SMB... I could see the usefulness of that and would gladly write it sometime in the next couple nights.
Thanks,
Stephen