How to enable SMB analyzer in Bro 2.3?

Hi All,

I’m a newbie for bro. Currently I’m working on a project which needs to analyze smb traffic. I want to enable all the smb-related events so I googled a little bit and tried with the following script:

##################SCRIPT BEGIN###############

const smbports = {

135/tcp, 137/tcp, 138/tcp, 139/tcp, 445/tcp

};

redef capture_filters += {

[“msrpc”] = “tcp port 135”,

[“netbios-ns”] = “tcp port 137”,

[“netbios-ds”] = “tcp port 138”,

[“netbios”] = “tcp port 139”,

[“smb”] = “tcp port 445”

};

redef dpd_config += { [Analyzer::ANALYZER_SMB] = [$ports = smbports] };

redef likely_server_ports += { 445/tcp };

redef record connection += {

smb: Info &optional;

};

#analyze smb data

event smb_com_read_andx(c: connection, hdr: smb_hdr, data: string){

print data;

}

###################SCRIPT END################

Then I saved this file as smb_try.bro and executed command:

bro -r ./smb.pcap -B dpd ./smb_try.bro

However, bro gave me the following error message:

“redef” used but not previously defined (dpd_config)

It seems that bro can’t find identifier did_condig. Am I missing some scripts that need to be loaded in the beginning? What else should I do to enable smb analyzer?

Best,

Xiang

Assuming you’re working in Bro 2.2 or 2.3, activating analyzers is much different than in previous versions.

You should remove these lines:

redef dpd_config += { [Analyzer::ANALYZER_SMB] = [$ports = smbports] };

And add this code:

event bro_init() &priority=5
{
Analyzer::register_for_ports(Analyzer::ANALYZER_SMB, smbports);
}

With that said, and to my knowledge, the SMB analyzer is still not in a complete, working state. Anyone, please correct me if I am wrong. I’d look forward to seeing if anyone, or the core development team, can make improvements on it. Seth did work on a 2.1 development branch, but this no longer seems to be functioning for the latest stable releases.