[Bro] Fwd: smb_mapping log add new field from conn.log

ps sunu pssunu6 at gmail.com
Fri Nov 3 02:59:12 PDT 2017


              i need to copy a field from conn.log and add it in
smb_mapping.log,  in my script copy part is working but its not writing in
to smb_mapping log , i am using correct smb events ? or anything wrong

my code

@load policy/protocols/smb
module TrackSMB;

redef LogAscii::use_json = T;

export {

   global conn_resp_ip_bytes: table[addr] of count &synchronized
   global conn_name_proto: table[addr] of transport_proto &synchronized

   redef record SMB::TreeInfo +=      {
    proto: transport_proto &optional &log;
     resp_ip_bytes: count &optional &log;


event Conn::log_conn (rec: Conn::Info)


if(rec?$resp_ip_bytes) {

conn_resp_ip_bytes[rec$id$orig_h] = rec$resp_ip_bytes;


if(rec?$proto) {
conn_name_proto[rec$id$orig_h] = rec$proto;


event file_over_new_connection(f:fa_file; c: connection, is_orig: bool)

 if ( c$id$orig_h in TrackSMB::conn_resp_ip_bytes )
     f$info$resp_ip_bytes = TrackSMB::conn_resp_ip_bytes[c$id$orig_h];

if ( c$id$resp_h in TrackSMB::conn_resp_ip_bytes )
     f$info$resp_ip_bytes = TrackSMB::conn_resp_ip_bytes[c$id$resp_h];

if ( c$id$orig_h in TrackSMB::conn_name_proto )
    c$smb$proto = TrackSMB::conn_name_proto[c$id$orig_h];
    if ( c$id$resp_h in TrackSMB::conn_name_proto )
    f$info$proto = TrackSMB::conn_name_proto[c$id$resp_h];
                                                          anything wrong in
above script or need to change any events ?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171103/e2619cfe/attachment.html 

More information about the Bro mailing list