[Bro] id into x509.log
Azoff, Justin S
jazoff at illinois.edu
Thu Apr 20 13:48:03 PDT 2017
> On Apr 20, 2017, at 4:40 PM, ps sunu <pssunu6 at gmail.com> wrote:
>
> yes you are right, i tested above code and its working but not seeing any conn_id related entries
>
> i am using http://try.bro.org/#/trybro/saved/140090 pcap for testing this
Ah right, I tested it with print but didn't actually look at the log. It's a problem with the priority, it's using the same event that is used to log the record, so you need to ensure that your file_state_remove event runs first.
I also had the parenthesis slightly wrong (I always screw things up when I try to use the indentation brace style that bro uses)
This definitely works:
event file_state_remove(f: fa_file) &priority=10
{
if ( ! f$info?$x509 )
return;
# Assume this file only has one connection
for ( id in f$conns ) {
local c = f$conns[id];
f$info$x509$conn_id = c$id;
}
}
http://try.bro.org/#/trybro/saved/140102
--
- Justin Azoff
More information about the Bro
mailing list