ATTACK::Lateral_Movement_Extracted_File whitelists not working
glwallum opened this issue · comments
Hello,
I am excluding addresses using the bzar_config_options.bro.
The attack_lm_extracted_file_whitelist_orig_addrs is not correctly excluding IP addresses, and we are still receiving alerts for ones which are in the set.
Thank you for bringing that to my attention. Good catch. The file 'bzar_files.bro' does not perform any checks against the whitelists. Oversight on my part. I can add those checks soon.
I added whitelist check to 'bzar_files.bro' to skip file extraction and/or to skip reporting that a file was extracted. This should remedy the issue.