Fox-IT smb-ransomware bro script

Has anyone had any success with Fox-ITs smb-ransomware script?

See: https://github.com/fox-it/bro-scripts/blob/master/smb-ransomware/smb-ransomware.bro

I am getting:

error in ./smb-ransomware.bro, line 80: no such field in record (FoxCryptoRansom::c$smb_state)
error in ./smb-ransomware.bro, line 84: no such field in record (FoxCryptoRansom::c$smb_state)

error in ./smb-ransomware.bro, line 84: unknown identifier SMB::FILE_WRITE, at or near “SMB::FILE_WRITE”

I didn’t want to open a github issue if there is a simple fix that I am unaware of. Thanks!

What version of Bro are you running. This would only work on the Bro 2.5
beta, or if you're using the SMB branch.

erik clark <philosnef@gmail.com> writes:

2.5. I know smb is working, as I am getting smb_files and ntlm logs.

Aha! Line 2 says:

@load base/protocols/smb

I added

@load policy/protocols/smb

and it worked. Any idea why my smb stuff is in policy/protocols and not base/protocols?

base is loaded by default

policy needs to be loaded as a matter of your organizations policy

We decided to place the code that enables the SMB analyzer into policy/protocols for the 2.5 release because it's a lot of code and we *believe* that it should work well, but we didn't feel comfortable turning it on by default like the other analyzers because of the amount of new code. I feel pretty confident that we will be moving it to base for the 2.6 release, but it is what it is for now. :slight_smile:

  .Seth