[Bro] Fwd: smb_mapping log add new field from conn.log

[ps sunu]

Hi,

              i need to copy a field from conn.log and add it in
smb_mapping.log,  in my script copy part is working but its not writing in
to smb_mapping log , i am using correct smb events ? or anything wrong
there?

my code



@load policy/protocols/smb
module TrackSMB;

redef LogAscii::use_json = T;



export {

   global conn_resp_ip_bytes: table[addr] of count &synchronized
&write_expire=7day;
   global conn_name_proto: table[addr] of transport_proto &synchronized
&write_expire=7day;


   redef record SMB::TreeInfo +=      {
    proto: transport_proto &optional &log;
     resp_ip_bytes: count &optional &log;



 };
}

event Conn::log_conn (rec: Conn::Info)

{

if(rec?$resp_ip_bytes) {

conn_resp_ip_bytes[rec$id$orig_h] = rec$resp_ip_bytes;


}




if(rec?$proto) {
conn_name_proto[rec$id$orig_h] = rec$proto;
}

}


event file_over_new_connection(f:fa_file; c: connection, is_orig: bool)
&priority=10
{

 if ( c$id$orig_h in TrackSMB::conn_resp_ip_bytes )
     f$info$resp_ip_bytes = TrackSMB::conn_resp_ip_bytes[c$id$orig_h];

if ( c$id$resp_h in TrackSMB::conn_resp_ip_bytes )
     f$info$resp_ip_bytes = TrackSMB::conn_resp_ip_bytes[c$id$resp_h];


if ( c$id$orig_h in TrackSMB::conn_name_proto )
    c$smb$proto = TrackSMB::conn_name_proto[c$id$orig_h];
    if ( c$id$resp_h in TrackSMB::conn_name_proto )
    f$info$proto = TrackSMB::conn_name_proto[c$id$resp_h];
}
                                                          anything wrong in
above script or need to change any events ?

Regards,
Sunu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171103/e2619cfe/attachment.html