[Bro] smb_files.log generating duplicate entry

ps sunu pssunu6 at gmail.com
Tue Nov 7 11:13:11 PST 2017 

Hi ,

                i need to copy  2 fields from conn.log and  add it in
smb_files.log it is adding but its entering as a duplicate entry
my code


@load policy/protocols/smb
module TrackSMB;
redef LogAscii::use_json = T;

export {

   global conn_resp_ip_bytes: table[addr] of count &synchronized
&write_expire=7day;
   global conn_name_proto: table[addr] of transport_proto &synchronized
&write_expire=7day;
#   global conn_service: table[addr] of string &synchronized
&write_expire=7day;

  redef record SMB::FileInfo += {
    proto: transport_proto &optional &log;

    resp_ip_bytes: count &optional &log;



 };
}



event Conn::log_conn (rec: Conn::Info)

{


if(rec?$resp_ip_bytes) {

conn_resp_ip_bytes[rec$id$orig_h] = rec$resp_ip_bytes;


}




if(rec?$proto) {
conn_name_proto[rec$id$orig_h] = rec$proto;
}

z


}







event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
&priority=5
{

 #if (f$source == "SMB") {
  if ( c$id$orig_h in TrackSMB::conn_resp_ip_bytes )
if (c?$smb_state && c$smb_state?$current_cmd) {
  c$smb_state$current_cmd$referenced_file$resp_ip_bytes =
TrackSMB::conn_resp_ip_bytes[c$id$orig_h];
}
    if ( c$id$resp_h in TrackSMB::conn_resp_ip_bytes )
if (c?$smb_state && c$smb_state?$current_cmd) {
  c$smb_state$current_cmd$referenced_file$resp_ip_bytes =
TrackSMB::conn_resp_ip_bytes[c$id$resp_h];
}

if ( c$id$orig_h in TrackSMB::conn_name_proto )
if (c?$smb_state && c$smb_state?$current_cmd) {
   c$smb_state$current_cmd$referenced_file$proto =
TrackSMB::conn_name_proto[c$id$orig_h];
}
  if ( c$id$resp_h in TrackSMB::conn_name_proto )
if (c?$smb_state && c$smb_state?$current_cmd) {
   c$smb_state$current_cmd$referenced_file$proto =
TrackSMB::conn_name_proto[c$id$resp_h];
}

Log::write(SMB::FILES_LOG, c$smb_state$current_cmd$referenced_file);
#  print c$smb_state$current_cmd$referenced_file$proto;



  #  }

}


http://try.bro.org/#/trybro/saved/184583



Regards,
Sunu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171108/4833a396/attachment.html

More information about the Bro mailing list