Bro (2.1) crashes when I attempt to store the path of event smb_com_tree_connect_andx, which is documented as a string variable, to the Info record’s smb_share, which I declared as a string variable. The stderr.log included below seems to indicate that the SMB Analyzer is interpreting the path string as a record, not sure which kind. I’ve attempted to escape the string, but this doesn’t seem to work.
Is this a known bug? Does anyone know of another event that would be better suited for identifying the share name, or is there any other easy workaround for this event?
Thanks!
Mike
Below is a sample of the stderr.log output:
There has been a lot of rework done on the smb analyzer that hasn't been released yet. I know that I fixed a lot of bugs existing in the existing analyzer you're working with. Unfortunately there probably isn't much of a way around the problem you're running into unless you want to try my in-progress branch.
I assume you've written all of the scripts to enable the SMB analyzer and add the c$smb field? Would you be interested in putting the scripts up somewhere?
.Seth
Is this a known bug? Does anyone know of another event that would be better suited for identifying the share name, or is there any other easy workaround for this event?
There has been a lot of rework done on the smb analyzer that hasn’t been released yet. I know that I fixed a lot of bugs existing in the existing analyzer you’re working with. Unfortunately there probably isn’t much of a way around the problem you’re running into unless you want to try my in-progress branch.
If I use your in-progress branch, would this impact other Bro functionality, or could I isolate the update to just smb analyzer functionality?
I assume you’ve written all of the scripts to enable the SMB analyzer and add the c$smb field?
Yes, I followed a few of the base protocol bro scripts as a guide, mostly leveraging the start of the SSH analyzer scripts.
Would you be interested in putting the scripts up somewhere?
It’s still a crude work in progress, but here is the full bro script that I’m currently using:
I like what I’m seeing on this new SMB work!
If I use your in-progress branch, would this impact other Bro functionality, or could I isolate the update to just smb analyzer functionality?
Probably, but I really need to merge the master branch into that branch so it should only be the SMB fixes in that branch that differ from master. There may be some merge conflicts, I don't really know.
Actually… I did some work last night and I'll be pushing out some changes to my topic/seth/smb-smb2-work branch that fully updates it to master in a few minutes (there were a number of merge conflicts).
Would you be interested in putting the scripts up somewhere?
It's still a crude work in progress, but here is the full bro script that I'm currently using:
Cool, nice. 
If you
Be a little carefully with this branch at the moment, I actually have file extraction turned on by default (yes, I went ahead and built file extraction and identification into it 
).
.Seth
I’ve been seeing these too for whatever it’s worth.
1352906659.976267 fatal error in : Val::CONST_ACCESSOR (record/string) ([stime=1352906659.942897, uid=V40HxsmOMT5, message=HTTP 1.1 Without Referer Client Header])
I was going to attempt to re-write the script in a different way to see if I can get it to stop tickling whatever it is.
Possible fix, try renaming some variables. I had a variable named “con” in my script and renaming that to conseen fixed the issue (or seemed to so far). I’ve been seeing crashing at least once an hour and now it’s been > 2 hours w/o a worker crash. Have you tried renaming path_name to something else?
Yea, I tried to do that regarding the Info record variables, which is why I prepended everything with “smb_” in my script.
I also tried your suggestion of renaming path_name to something like pathfoostring, but I’m still getting the same crash when connecting to an smb file share.