Fresh built 25master, feeding bro a pcap with 445 traffic, no smb logs produced. Do you need to explicitly enable it somewhere?
local.bro:
# Uncomment the following line to enable the SMB analyzer. The analyzer
# is currently considered a preview and therefore not loaded by default.
# @load policy/protocols/smb
Hm. I enabled it in
/opt/bro/share/bro/site/local.bro
→ @load policy/protocols/smb
and I ran a pcap with exclusively 445 port traffic, but got nothing back. The pcap is 70 megs big. (tcpdump -w pcap “port 445”)
I am trying to get output from smb2.pcap (included in Traces directory in the master branch), but that also does not produce any smb logs.
bro -N shows → Bro::SMB - SMB analyzer (built-in)
so I am not sure why the entry in local.bro is apparently not causing smb events to fire? Thanks for your time!
AH ignore this! I am not getting any smb traffic I guess on this link, and I had to explicitly call the smb analyzer:
bro -C -r $pcap /opt/bro/share/bro/policy/protocols/smb/load.bro
Thanks all, this works fantastic!
How did you run the pcap file? If you just ran
bro -r foo.pcap
that does not load the local config, you need to use
bro local -r foo.pcap
or use `broctl process`.