I was wondering if anyone had a script (or documentation) that logs SMB traffic and activities including file names and folders being read, written, connections, etc.
The only information I found regarding this is from the event.bif.bro which ships with Bro 2.0.
… todo:: Bro’s current default configuration does not activate the protocol
analyzer that generates this event; the corresponding script has not yet
been ported to Bro 2.x. To still enable this event, one needs to add a
corresponding entry to :bro:see:
dpd_config or a DPD payload signature.
I believe that this analyzer is broken. I'm still working on the rewrite of the SMB analyzer which initially will probably focus primarily around file transfers and some of the associated data.
A big +1 for this analyzer. Turning on this functionality on the
server-side impacts performance significantly, so being able to do
this on the network is a big win.
Do you currently monitor in locations where you see SMB traffic?
I can't answer for Martin, but we do, heavily.
Yep, the egress of a datacenter where fileservers sit is a great place
to put an NSM sensor, and all clients have to pass through those
gates, so all desktop-fileserver access can be audited.