Hi,
i need to copy a field from conn.log and add it in smb_mapping.log, in my script copy part is working but its not writing in to smb_mapping log , i am using correct smb events ? or anything wrong there?
my code
@load policy/protocols/smb
module TrackSMB;
redef LogAscii::use_json = T;
export {
global conn_resp_ip_bytes: table[addr] of count &synchronized &write_expire=7day;
global conn_name_proto: table[addr] of transport_proto &synchronized &write_expire=7day;
redef record SMB::TreeInfo += {
proto: transport_proto &optional &log;
resp_ip_bytes: count &optional &log;
};
}
if(rec?$resp_ip_bytes) {
conn_resp_ip_bytes[rec$id$orig_h] = rec$resp_ip_bytes;
}
if(rec?$proto) {
conn_name_proto[rec$id$orig_h] = rec$proto;
}
}
event file_over_new_connection(f:fa_file; c: connection, is_orig: bool) &priority=10
{
if ( c$id$orig_h in TrackSMB::conn_resp_ip_bytes )
f$info$resp_ip_bytes = TrackSMB::conn_resp_ip_bytes[c$id$orig_h];
if ( c$id$resp_h in TrackSMB::conn_resp_ip_bytes )
f$info$resp_ip_bytes = TrackSMB::conn_resp_ip_bytes[c$id$resp_h];
if ( c$id$orig_h in TrackSMB::conn_name_proto )
c$smb$proto = TrackSMB::conn_name_proto[c$id$orig_h];
if ( c$id$resp_h in TrackSMB::conn_name_proto )
f$info$proto = TrackSMB::conn_name_proto[c$id$resp_h];
}
anything wrong in above script or need to change any events ?
Regards,
Sunu
Hi,
i need to copy a field from conn.log and add it in smb_mapping.log, in my script copy part is working but its not writing in to smb_mapping log , i am using correct smb events ? or anything wrong there?
my code
@load policy/protocols/smb
module TrackSMB;
redef LogAscii::use_json = T;
export {
global conn_resp_ip_bytes: table[addr] of count &synchronized &write_expire=7day;
global conn_name_proto: table[addr] of transport_proto &synchronized &write_expire=7day;
redef record SMB::TreeInfo += {
proto: transport_proto &optional &log;
resp_ip_bytes: count &optional &log;
};
}
event Conn::log_conn (rec: Conn::Info)
{
if(rec?$resp_ip_bytes) {
conn_resp_ip_bytes[rec$id$orig_h] = rec$resp_ip_bytes;
}
if(rec?$proto) {
conn_name_proto[rec$id$orig_h] = rec$proto;
}
}
event file_over_new_connection(f:fa_file; c: connection, is_orig: bool) &priority=10
{
if ( c$id$orig_h in TrackSMB::conn_resp_ip_bytes )
f$info$resp_ip_bytes = TrackSMB::conn_resp_ip_bytes[c$id$orig_h];
if ( c$id$resp_h in TrackSMB::conn_resp_ip_bytes )
f$info$resp_ip_bytes = TrackSMB::conn_resp_ip_bytes[c$id$resp_h];
if ( c$id$orig_h in TrackSMB::conn_name_proto )
c$smb$proto = TrackSMB::conn_name_proto[c$id$orig_h];
if ( c$id$resp_h in TrackSMB::conn_name_proto )
f$info$proto = TrackSMB::conn_name_proto[c$id$resp_h];
}
anything wrong in above script or need to change any events ?
Regards,
Sunu
You have several problems that I'm seeing but I haven't actually your script to see if there are more.
redef record SMB::TreeInfo += {
proto: transport_proto &optional &log;
resp_ip_bytes: count &optional &log;
};
You added these fields to the SMB::TreeInfo record (just keep that in mind)...
event Conn::log_conn (rec: Conn::Info)
{
if(rec?$resp_ip_bytes) {
conn_resp_ip_bytes[rec$id$orig_h] = rec$resp_ip_bytes;
}
if(rec?$proto) {
conn_name_proto[rec$id$orig_h] = rec$proto;
}
This whole section is only run when a conn log entry is being written so if everything only happens over a single connection you won't see your tables have any data since nothing will be written until the connection ends.
event file_over_new_connection(f:fa_file; c: connection, is_orig: bool)
&priority=10
{
if ( c$id$orig_h in TrackSMB::conn_resp_ip_bytes )
f$info$resp_ip_bytes = TrackSMB::conn_resp_ip_bytes[c$id$orig_h];
You put those fields into the SMB::TreeInfo record, but f$info is the Files::Info record.
c$smb$proto = TrackSMB::conn_name_proto[c$id$orig_h];
if ( c$id$resp_h in TrackSMB::conn_name_proto )
f$info$proto = TrackSMB::conn_name_proto[c$id$resp_h];
You are jumping around a bit here, you added the proto field to SMB::TreeInfo, but c$smb doesn't even exist. To access the SMB::TreeInfo record, it should be c$smb_state$current_tree
.Seth
Keep in mind that if you are running a cluster, your global values are stored locally on each worker so connections happening on different workers won’t know the values for the other workers.
.Seth
Hi Sunu,
Seth have pretty much addressed all the problems the script has.
Just wanted to add, that be careful in the types of events you choose
to log entries for.
event “file_over_new_connection” will be triggered for “every” file Bro sees
over a connection.
And event “log_conn” will be triggered for every connection Bro logs record for.
what your code is trying to do currently, is recording protocol and resp_ip_bytes for every connection,
and if the connection happens to have a file transfer, then, logging those two fields in “file” record,
which doesn’t seem to be your use case.
Also, I do not see any checks for “SMB” protocol specifically. Hence, your all the if conditions will always
be true, if the connection happen to have resp_ip_bytes and proto, which majority of Bro connections would have.
Thanks,
Fatema.