SMB files log

Zeek
1

Hey guys,

I’m new to this mailing list - and I have a question about enabling the SMB analyser, I’m sure I’m missing something simple.

I enabled /opt/bro/share/bro/site/local.bro → @load policy/protocols/smb

Running BRO 2.5.1 - I never get the smb_file.log, I do get these:

smb_cmd.log
smb_mapping.log

When I copy a file over SMB I;d expect ths smb_files.log to be populated - I’m sure I’m missing something very simple, anyone have an idea?

Many Thanks,
Luk

2

Hi Luk,

I enabled /opt/bro/share/bro/site/local.bro -> @load policy/protocols/smb

Running BRO 2.5.1 - I never get the smb_file.log, I do get these:

First the thing I have to say - please update to 2.5.5. There are only
minor changes to 2.5.1 and a lot of fixed security issues.

Or - consider upgrading to 2.6 (which admittedly has a bunch of changes).

smb_cmd.log
smb_mapping.log

When I copy a file over SMB I;d expect ths smb_files.log to be populated
- I’m sure I’m missing something very simple, anyone have an idea?

I think you are right and that it should typically be logged.

There are 2 ways that I would start debugging this. First - if possible,
make a pcap of an operation that you would expect to create the
smb_files.log.

Run that through bro, and see if it is there now; if not, take a look at
smb_cmd.log and look if you can find activity that corresponds to the file
copying in there.

Johanna

3

Here is what happened in my env, I can see the smb_file.log if I use smbclient from Linux. But when I do mount, I don't see the log. I'm not expert on this, and it is only what I see.
Yi

    Hi Luk,
    
    > I enabled /opt/bro/share/bro/site/local.bro -> @load policy/protocols/smb
    >
    > Running BRO 2.5.1 - I never get the smb_file.log, I do get these:
    
    First the thing I have to say - please update to 2.5.5. There are only
    minor changes to 2.5.1 and a lot of fixed security issues.
    
    Or - consider upgrading to 2.6 (which admittedly has a bunch of changes).
    
    > smb_cmd.log
    > smb_mapping.log
    >
    > When I copy a file over SMB I;d expect ths smb_files.log to be populated
    > - I’m sure I’m missing something very simple, anyone have an idea?
    
    I think you are right and that it should typically be logged.
    
    There are 2 ways that I would start debugging this. First - if possible,
    make a pcap of an operation that you would expect to create the
    smb_files.log.
    
    Run that through bro, and see if it is there now; if not, take a look at
    smb_cmd.log and look if you can find activity that corresponds to the file
    copying in there.
    
    Johanna

4

Are you sure that you have activity occurring that would result in the smb_files.log being created?

   .Seth