[Bro] Bro Error: fatal error in <no location>: Val::CONVERTER(string/record)
(peter)
45070198 at qq.com
Tue Apr 15 06:28:30 PDT 2014
Hi vladg,
Thank you very much. I modify the code follow your direction, it works now.
The code which works well is here, maybe someone need it :)
module POP3;
export {
redef enum Log::ID += { LOG };
type Info: record {
ts: time &log;
orig_h: addr &log;
orig_p: port &log;
resp_h: addr &log;
resp_p: port &log;
command: string &log;
arg: string &log;
};
global log_pop: event(rec: Info);
}
redef record connection += {
pop3: Info &optional;
};
const ports = { 110/tcp };
redef likely_server_ports += { ports };
event bro_init() &priority=5
{
Log::create_stream(POP3::LOG, [$columns=POP3::Info, $ev=log_pop]);
Analyzer::register_for_ports(Analyzer::ANALYZER_POP3, ports);
}
function set_session(c: connection, command: string, arg: string): Info
{
local l: Info;
l$ts = network_time();
l$orig_h = c$id$orig_h;
l$orig_p = c$id$orig_p;
l$resp_h = c$id$resp_h;
l$resp_p = c$id$resp_p;
l$command = command;
l$arg = arg;
return l;
}
event pop3_request(c: connection, is_orig: bool, command: string, arg: string) &priority=5
{
local myinfo: Info;
myinfo = set_session(c, command, arg);
Log::write(POP3::LOG, myinfo);
}
------------------ Original ------------------
From: "Vlad Grigorescu";<vladg at cmu.edu>;
Date: Tue, Apr 15, 2014 09:02 PM
To: "(peter)"<45070198 at qq.com>;
Cc: "bro"<bro at bro.org>;
Subject: Re: [Bro] Bro Error: fatal error in <no location>: Val::CONVERTER(string/record)
On Apr 15, 2014, at 8:36 AM, (peter) <45070198 at qq.com> wrote:
> event pop3_request(c: connection, is_orig: bool, command: string, arg: string) &priority=5
> {
> Log::write(LOG, command);
> }
Command needs to be an Info record. You're passing a string. You'll need to fill out an Info record and log that.
> type Info: record {
> ts: time &log;
> src: addr &log;
> srcport: port &log;
> dst: addr &log;
> dstport: port &log;
> };
Take a look at the other Bro scripts. This isn't a good Bro Info record. You're even using different terminology (Bro doesn't have the concept of a "source" or "destination" - it's "originator" and "responder.")
--Vlad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140415/e8d783f5/attachment.html
More information about the Bro
mailing list