SMB copied files not showing in files.log


So I am using the SMB plugin for Bro by loading in local.bro but it seems to be very inconsistent.

Often times when I am copying files between two windows machines over the domain there is no corresponding file in the files.log.

The smb_files.log itself seems to filled up with a lot of .ini files as well and they all seem to have the “SMB::FILE_OPEN” action even when I haven’t opened any of them.

I thought I would use files showing source as SMB in files.log to differentiate when files are actually copied over the network but often times Bro does not detect the same.

Is there any particular way I need to share the files in windows to get the copied files to show up consistently in bro?


Vikram Basu

SMB is a complicated protocol. Windows systems will frequently call open on remote files but not actually transfer any of the bytes of the file. I think there may be several scenarios where they do that and I may not understand them all completely yet unfortunately.

Generally if some bytes of a file are transferred over SMB, that file will show up in files.log since files.log is meant to represent the actual transfer of files. The confusion arising from the smb_cmds.log file (where you saw the SMB::FILE_OPEN command) is one of the many reasons that that log is disabled by default too.

Are you experiencing a case where you know that a file was actually transferred over SMB but you didn’t see a corresponding entry in files.log? If that’s true, then I would really appreciate a pcap of the problem! I would really like to know about any cases where that isn’t working correctly.


Hi all, I and my colleagues have identified a scenario where one or more files are read without any real intention from the client (user or process). We have found that the presence of an Antivirus (AV) product (in our case: Sophos Endpoint Security and Control) have a considerable influence on SMB traffic and Bro log entries. The AV implies that all the files present in the selected remote directory are partially read and this leads to spurious entries in Bro SMB log files.



If a portion of a file is actually transferred then you should definitely expect to see the file represented in smb_files.log and files.log.