[Bro] SMB Event Prototype Issue
dpearso at sandia.gov
Wed Jan 15 13:10:28 PST 2014
I've been porting the SMB script over to Bro 2.x, but I seem to have run into a problem with one of the event prototypes. When trying to work with the event smb_com_tree_connect_andx (with prototype event (c: connection, hdr: smb_hdr, path: string, service: string)), I am unable to correctly parse the path argument. Using the SANS 2013 Holiday PCAP as an example:
david at david-sec-onion:~/Desktop/sans_analysis$ bro -C -r sansholidayhack2013.pcap smb.bro | more
[flags=0, password=\0, path=\\10.25.22.58\IPC$, service=?????]
To me, it looks like the path field might actually be a set, though I'm relatively new to Bro. Does anybody have thoughts regarding this?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro