Hi
smb-ransomware.bro script don’t have enough information in notice log ,
https://github.com/fox-it/bro-scripts/blob/master/smb-ransomware/smb-ransomware.bro
below notice log don’t have connection info, example where to where ransomware found
$threshold_crossed(key: SumStats::Key, result: SumStats::Result) =
{
NOTICE([$note=RANSOMWARE_SMB,
$msg=“Ransomware encrypting share detected”]);
}]);
regards,
Sunu