[Bro] Crash on SMB Analyzer - Tree Connect AndX

[Mike Kolkebeck]

Bro (2.1) crashes when I attempt to store the path of event
smb_com_tree_connect_andx, which is documented as a string variable, to the
Info record's smb_share, which I declared as a string variable.  The
stderr.log included below seems to indicate that the SMB Analyzer is
interpreting the path string as a record, not sure which kind.  I've
attempted to escape the string, but this doesn't seem to work.

Is this a known bug?  Does anyone know of another event that would be
better suited for identifying the share name, or is there any other easy
workaround for this event?


Thanks!
Mike



Below is a sample of the stderr.log output:
---------
1354158536.204142 fatal error in <no location>: Val::CONVERTER
(record/string) ([flags=8, password=P , path=\\myhostname\IPC$,
service=?????])


Below is the code snippet:
----------
event smb_com_tree_connect_andx(c: connection, hdr: smb_hdr, path: string,
service: string) &priority=5
 {
set_session(c,hdr);
local path_name = escape_string(path);
 c$smb$smb_share = path_name;
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121128/40e1e2fa/attachment.html