smb analyzer does not seem to be enabled

Fresh built 25master, feeding bro a pcap with 445 traffic, no smb logs produced. Do you need to explicitly enable it somewhere?


# Uncomment the following line to enable the SMB analyzer. The analyzer
# is currently considered a preview and therefore not loaded by default.
# @load policy/protocols/smb

Hm. I enabled it in


@load policy/protocols/smb

and I ran a pcap with exclusively 445 port traffic, but got nothing back. The pcap is 70 megs big. (tcpdump -w pcap “port 445”)

I am trying to get output from smb2.pcap (included in Traces directory in the master branch), but that also does not produce any smb logs.

bro -N shows → Bro::SMB - SMB analyzer (built-in)

so I am not sure why the entry in local.bro is apparently not causing smb events to fire? Thanks for your time!

AH ignore this! I am not getting any smb traffic I guess on this link, and I had to explicitly call the smb analyzer:

bro -C -r $pcap /opt/bro/share/bro/policy/protocols/smb/load.bro

Thanks all, this works fantastic!

How did you run the pcap file? If you just ran

    bro -r foo.pcap

that does not load the local config, you need to use

    bro local -r foo.pcap

or use `broctl process`.