[Bro] No info record
Michael Black
mdblack98 at gmail.com
Wed Aug 5 10:08:16 PDT 2015
Fixed the problem by using connection_state_remove event instead.
It appears many protocols don't add the conn fields until after the
connection_finished event.
Mike
On Fri, Jul 31, 2015 at 8:59 AM, Michael Black <mdblack98 at gmail.com> wrote:
> Using 2.4
>
>
>
> I'm having a problem in a connection_finished event. I've extended the
> connection record with an extra field.
>
>
>
> But….processing a 512MB capture file I have I get a number of connection
> events that don't have a c$conn record in them.
>
> I get the same behavior using connection_EOF.
>
>
>
> This script demonstrates the problem. I've attached a sample of the
> conn.log records that show a mix of good/bad where you can see the TEST1
> and N/A default on the non-conn records.
>
>
>
> 1426100429.761609 expression error in ./test.bro, line 11: field value
> missing [c$conn]
>
> It seems that if there is no "string" value or if it's an ssl, dns, for
> example, then there is no $conn field.
>
> Is there an extendable record in a connection record that is ALWAYS there?
>
>
>
> @load base/utils/site
>
> @load base/protocols/conn
>
>
>
> redef record Conn::Info += {
>
> testfield: string &default="N/A" &log;
>
> };
>
>
>
> event connection_finished(c: connection)
>
> {
>
> if (!c?$conn) {
>
> c$conn$testfield = "TEST2";
>
> }
>
> else {
>
> print("TEST1");
>
> c$conn$testfield = "TEST1";
>
> }
>
> }
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150805/54c1d913/attachment.html
More information about the Bro
mailing list