[Bro] smb_mapping log add new field from conn.log
Seth Hall
seth at corelight.com
Fri Nov 3 06:07:42 PDT 2017
Keep in mind that if you are running a cluster, your global values are
stored locally on each worker so connections happening on different
workers won't know the values for the other workers.
.Seth
On 3 Nov 2017, at 9:06, ps sunu wrote:
> Sir,
> now i changed as you mentioned , and its
> running
> without error but its not hitting into log
>
> my changed code
>
> @load policy/protocols/smb
> module TrackSMB;
>
> redef LogAscii::use_json = T;
>
>
>
> export {
>
> global conn_resp_ip_bytes: table[addr] of count &synchronized
> &write_expire=7day;
> global conn_name_proto: table[addr] of transport_proto
> &synchronized
> &write_expire=7day;
>
>
> redef record SMB::TreeInfo += {
> proto: transport_proto &optional &log;
> resp_ip_bytes: count &optional &log;
>
>
>
> };
> }
>
> event Conn::log_conn (rec: Conn::Info)
>
> {
>
>
> if(rec?$resp_ip_bytes) {
>
> conn_resp_ip_bytes[rec$id$orig_h] = rec$resp_ip_bytes;
>
>
> }
>
>
>
>
> if(rec?$proto) {
> conn_name_proto[rec$id$orig_h] = rec$proto;
> }
>
> }
>
> event smb_pipe_connect_heuristic (c: connection ) &priority=10
> {
> if ( c$id$orig_h in TrackSMB::conn_resp_ip_bytes )
> c$smb_state$current_tree$resp_ip_bytes =
> TrackSMB::conn_resp_ip_bytes[c$id$orig_h];
>
> if ( c$id$resp_h in TrackSMB::conn_resp_ip_bytes )
> c$smb_state$current_tree$resp_ip_bytes =
> TrackSMB::conn_resp_ip_bytes[c$id$resp_h];
>
>
> if ( c$id$orig_h in TrackSMB::conn_name_proto )
> c$smb_state$current_tree$proto =
> TrackSMB::conn_name_proto[c$id$orig_h];
> if ( c$id$resp_h in TrackSMB::conn_name_proto )
> c$smb_state$current_tree$proto =
> TrackSMB::conn_name_proto[c$id$resp_h];
>
> # print c$smb_state$current_tree$proto;
> }
>
>
>
>
> Regards,
> Sunu
>
>
> On Fri, Nov 3, 2017 at 5:39 PM, Seth Hall <seth at corelight.com> wrote:
>
>> You have several problems that I'm seeing but I haven't actually your
>> script to see if there are more.
>>
>> On 3 Nov 2017, at 5:59, ps sunu wrote:
>>
>> redef record SMB::TreeInfo += {
>>> proto: transport_proto &optional &log;
>>> resp_ip_bytes: count &optional &log;
>>> };
>>>
>>
>> You added these fields to the SMB::TreeInfo record (just keep that in
>> mind)...
>>
>> event Conn::log_conn (rec: Conn::Info)
>>> {
>>> if(rec?$resp_ip_bytes) {
>>> conn_resp_ip_bytes[rec$id$orig_h] = rec$resp_ip_bytes;
>>> }
>>>
>>> if(rec?$proto) {
>>> conn_name_proto[rec$id$orig_h] = rec$proto;
>>> }
>>> }
>>>
>>
>> This whole section is only run when a conn log entry is being written
>> so
>> if everything only happens over a single connection you won't see
>> your
>> tables have any data since nothing will be written until the
>> connection
>> ends.
>>
>> event file_over_new_connection(f:fa_file; c: connection, is_orig:
>> bool)
>>> &priority=10
>>> {
>>> if ( c$id$orig_h in TrackSMB::conn_resp_ip_bytes )
>>> f$info$resp_ip_bytes =
>>> TrackSMB::conn_resp_ip_bytes[c$id$orig_h];
>>>
>>
>> You put those fields into the SMB::TreeInfo record, but f$info is the
>> Files::Info record.
>>
>>
>> c$smb$proto = TrackSMB::conn_name_proto[c$id$orig_h];
>>> if ( c$id$resp_h in TrackSMB::conn_name_proto )
>>> f$info$proto = TrackSMB::conn_name_proto[c$id$resp_h];
>>>
>>
>> You are jumping around a bit here, you added the proto field to
>> SMB::TreeInfo, but c$smb doesn't even exist. To access the
>> SMB::TreeInfo
>> record, it should be c$smb_state$current_tree
>>
>> .Seth
>>
>> --
>> Seth Hall * Corelight, Inc * www.corelight.com
>>
--
Seth Hall * Corelight, Inc * www.corelight.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171103/bcd06bde/attachment-0001.html
More information about the Bro
mailing list