Hello all,
I’ve been porting the SMB script over to Bro 2.x, but I seem to have run into a problem with one of the event prototypes. When trying to work with the event smb_com_tree_connect_andx (with prototype event (c: connection, hdr: smb_hdr, path: string, service: string)), I am unable to correctly parse the path argument. Using the SANS 2013 Holiday PCAP as an example:
david@david-sec-onion:~/Desktop/sans_analysis$ bro -C -r sansholidayhack2013.pcap smb.bro | more
[flags=0, password=\0, path=\10.25.22.58\IPC$, service=???]
To me, it looks like the path field might actually be a set, though I’m relatively new to Bro. Does anybody have thoughts regarding this?
Thanks,
David