Using 2.4
I’m having a problem in a connection_finished event. I’ve extended the connection record with an extra field.
But….processing a 512MB capture file I have I get a number of connection events that don’t have a c$conn record in them.
I get the same behavior using connection_EOF.
This script demonstrates the problem. I’ve attached a sample of the conn.log records that show a mix of good/bad where you can see the TEST1 and N/A default on the non-conn records.
1426100429.761609 expression error in ./test.bro, line 11: field value missing [c$conn]
It seems that if there is no “string” value or if it’s an ssl, dns, for example, then there is no $conn field.
Is there an extendable record in a connection record that is ALWAYS there?
@load base/utils/site
@load base/protocols/conn
redef record Conn::Info += {
testfield: string &default=“N/A” &log;
};
event connection_finished(c: connection)
{
if (!c?$conn) {
c$conn$testfield = “TEST2”;
}
else {
print(“TEST1”);
c$conn$testfield = “TEST1”;
}
}
badconn.txt (3.13 KB)