[Bro] No info record
Michael Black
mdblack98 at gmail.com
Fri Jul 31 06:59:36 PDT 2015
Using 2.4
I'm having a problem in a connection_finished event. I've extended the
connection record with an extra field.
But..processing a 512MB capture file I have I get a number of connection
events that don't have a c$conn record in them.
I get the same behavior using connection_EOF.
This script demonstrates the problem. I've attached a sample of the
conn.log records that show a mix of good/bad where you can see the TEST1 and
N/A default on the non-conn records.
1426100429.761609 expression error in ./test.bro, line 11: field value
missing [c$conn]
It seems that if there is no "string" value or if it's an ssl, dns, for
example, then there is no $conn field.
Is there an extendable record in a connection record that is ALWAYS there?
@load base/utils/site
@load base/protocols/conn
redef record Conn::Info += {
testfield: string &default="N/A" &log;
};
event connection_finished(c: connection)
{
if (!c?$conn) {
c$conn$testfield = "TEST2";
}
else {
print("TEST1");
c$conn$testfield = "TEST1";
}
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150731/c6a4185f/attachment.html
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: badconn.txt
Url: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150731/c6a4185f/attachment.txt
More information about the Bro
mailing list