Has anyone had any success with Fox-ITs smb-ransomware script?
See: https://github.com/fox-it/bro-scripts/blob/master/smb-ransomware/smb-ransomware.bro
I am getting:
error in ./smb-ransomware.bro, line 80: no such field in record (FoxCryptoRansom::c$smb_state)
error in ./smb-ransomware.bro, line 84: no such field in record (FoxCryptoRansom::c$smb_state)
error in ./smb-ransomware.bro, line 84: unknown identifier SMB::FILE_WRITE, at or near “SMB::FILE_WRITE”
I didn’t want to open a github issue if there is a simple fix that I am unaware of. Thanks!
What version of Bro are you running. This would only work on the Bro 2.5
beta, or if you're using the SMB branch.
erik clark <philosnef@gmail.com> writes:
2.5. I know smb is working, as I am getting smb_files and ntlm logs.
Aha! Line 2 says:
@load base/protocols/smb
I added
@load policy/protocols/smb
and it worked. Any idea why my smb stuff is in policy/protocols and not base/protocols?
base is loaded by default
policy needs to be loaded as a matter of your organizations policy
We decided to place the code that enables the SMB analyzer into policy/protocols for the 2.5 release because it's a lot of code and we *believe* that it should work well, but we didn't feel comfortable turning it on by default like the other analyzers because of the amount of new code. I feel pretty confident that we will be moving it to base for the 2.6 release, but it is what it is for now.
.Seth