[Bro] Crash on SMB Analyzer - Tree Connect AndX
mkolkebeck at gmail.com
Wed Nov 28 19:29:13 PST 2012
Bro (2.1) crashes when I attempt to store the path of event
smb_com_tree_connect_andx, which is documented as a string variable, to the
Info record's smb_share, which I declared as a string variable. The
stderr.log included below seems to indicate that the SMB Analyzer is
interpreting the path string as a record, not sure which kind. I've
attempted to escape the string, but this doesn't seem to work.
Is this a known bug? Does anyone know of another event that would be
better suited for identifying the share name, or is there any other easy
workaround for this event?
Below is a sample of the stderr.log output:
1354158536.204142 fatal error in <no location>: Val::CONVERTER
(record/string) ([flags=8, password=P , path=\\myhostname\IPC$,
Below is the code snippet:
event smb_com_tree_connect_andx(c: connection, hdr: smb_hdr, path: string,
service: string) &priority=5
local path_name = escape_string(path);
c$smb$smb_share = path_name;
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro