Hello Bro Community,
I am working on the data exfiltration and I have just tested the Exfil Framework.
I have noticed, that the script failed to detect file uploads from the file server using SMB protocol. Looking to the connections logs (conn.log), the SMB connections are unfortunately not logged.
Would it be a known issue ? or should I tune some params ?
Please note that the trafic arrives to Bro machine (I have checked using tcpdump).
The Exfil Framework is developed by someone from Reservoir Labs. Please
contact them with any questions.
That being said, note that SMB support in Bro is a best-effort
implementation of part of the specification (and very different from
what's actually seen on the wire), so detecting exfil over SMB likely
won't work at all.
Zied Turki <firstname.lastname@example.org> writes:
By default, the Exfil framework will only attach to flows originated
by addresses in 10.0.0.0/8 that have a non-local responder.
Try setting "ignore_local_dest_conn" to F in app-exfil-conn.bro.
I have already set this variable to False.
I have also tried some others scripts to log the SMB connections. I’ve got random log outputs : only few SMB connections were logged but not all of them…
How big are the files that you are transferring?
What percentage loss are you seeing in you capture_loss log?
I have tried with ~10MB and ~100 MB files.
Yes, I’m seeing some packet drop in the notice.log. I’ll activate the packet_loss module to get the exact percentage.
ps : I’m running 4 workers and everything seems to be ok so far : low cpu and memory usage.(the packet loss still exists…)