[Bro] Crash on SMB Analyzer - Tree Connect AndX

Mike Kolkebeck mkolkebeck at gmail.com
Wed Nov 28 19:29:13 PST 2012

Bro (2.1) crashes when I attempt to store the path of event
smb_com_tree_connect_andx, which is documented as a string variable, to the
Info record's smb_share, which I declared as a string variable.  The
stderr.log included below seems to indicate that the SMB Analyzer is
interpreting the path string as a record, not sure which kind.  I've
attempted to escape the string, but this doesn't seem to work.

Is this a known bug?  Does anyone know of another event that would be
better suited for identifying the share name, or is there any other easy
workaround for this event?


Below is a sample of the stderr.log output:
1354158536.204142 fatal error in <no location>: Val::CONVERTER
(record/string) ([flags=8, password=P , path=\\myhostname\IPC$,

Below is the code snippet:
event smb_com_tree_connect_andx(c: connection, hdr: smb_hdr, path: string,
service: string) &priority=5
local path_name = escape_string(path);
 c$smb$smb_share = path_name;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121128/40e1e2fa/attachment.html 

More information about the Bro mailing list