Hi Everyone,
I have a problem using the "conn" field in the connection record. The reference states that "conn" should exist if "base/protocols/conn/main.bro" is loaded. I have it loaded and the "conn.log" is generated. However, the "conn" field is not there. I got the connection record from the new_packet event. Anyone have any idea? Thanks a lot.
Best,
Wenyu
Wenyu Ren
Ph.D. Candidate
Department of Computer Science
University of Illinois at Urbana-Champaign
The documentation states that the "conn" field exists if
base/protocols/conn/main.bro is loaded. Since the "conn" field has
the "&optional" attribute, it is not required to have a value.
At the time that the new_packet event is handled, not all of the
necessary information has been gathered, so the "conn" field
doesn't have a value yet. If you try checking in a subsequent event, such as connection_state_remove, then you should be able to see a value
assigned to the "conn" field (and if you look at the base/protocols/conn/main.bro script, you can see where it assigns a value to the
conn field).