smb_files.log generating duplicate entry

Zeek
1

Hi ,

i need to copy 2 fields from conn.log and add it in smb_files.log it is adding but its entering as a duplicate entry
my code

@load policy/protocols/smb
module TrackSMB;
redef LogAscii::use_json = T;

export {

global conn_resp_ip_bytes: table[addr] of count &synchronized &write_expire=7day;
global conn_name_proto: table[addr] of transport_proto &synchronized &write_expire=7day;

global conn_service: table[addr] of string &synchronized &write_expire=7day;

redef record SMB::FileInfo += {
proto: transport_proto &optional &log;

resp_ip_bytes: count &optional &log;

};
}

event Conn::log_conn (rec: Conn::Info)

{

if(rec?$resp_ip_bytes) {

conn_resp_ip_bytes[rec$id$orig_h] = rec$resp_ip_bytes;

}

if(rec?$proto) {
conn_name_proto[rec$id$orig_h] = rec$proto;
}

z

}

event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
{

#if (f$source == “SMB”) {
if ( c$id$orig_h in TrackSMB::conn_resp_ip_bytes )
if (c?$smb_state && c$smb_state?$current_cmd) {
c$smb_state$current_cmd$referenced_file$resp_ip_bytes = TrackSMB::conn_resp_ip_bytes[c$id$orig_h];
}
if ( c$id$resp_h in TrackSMB::conn_resp_ip_bytes )
if (c?$smb_state && c$smb_state?$current_cmd) {
c$smb_state$current_cmd$referenced_file$resp_ip_bytes = TrackSMB::conn_resp_ip_bytes[c$id$resp_h];
}

if ( c$id$orig_h in TrackSMB::conn_name_proto )
if (c?$smb_state && c$smb_state?$current_cmd) {
c$smb_state$current_cmd$referenced_file$proto = TrackSMB::conn_name_proto[c$id$orig_h];
}
if ( c$id$resp_h in TrackSMB::conn_name_proto )
if (c?$smb_state && c$smb_state?$current_cmd) {
c$smb_state$current_cmd$referenced_file$proto = TrackSMB::conn_name_proto[c$id$resp_h];
}

Log::write(SMB::FILES_LOG, c$smb_state$current_cmd$referenced_file);

print c$smb_state$current_cmd$referenced_file$proto;

}

}

http://try.bro.org/#/trybro/saved/184583

Regards,
Sunu