I’m writing a custom NAS enumeration script that uses the CIFS_RESPONSE event. I require the script to parse, client IP, server IP and CIFS.share telemetry.
However, only the source IP will be used as a key_name for the session table as i’m trying to identify all the share and destination IP accessed by a single client IP
When attempting to map the key_name using the source IP, i received this error, “Invalid argument provided. String or Buffer required”.
When checking for the type of data, source IP is categorized as a buffer object, while my constant variable is just a string. So i’m not sure what is the causing the error.
I tried the same way of mapping the key_name using the HTTP_RESPONSE event type but d.d not receive the same error.
<CIFS_RESPONSE>
>
> const KEYNAME_SMB_CIFS_enum_v2 = "v5_BSMBCIFS_Rsp2";
> if(event == CIFS_RESPONSE)
> updateSessionEntry (Flow.client.ipaddr, Flow.server.ipaddr, CIFS.share);
>
> function updateSessionEntry(src_ip, dst_ip, share){
> debug("~srciptype2: " + typeof src_ip + "~key: " + typeof KEYNAME_SMB_CIFS_enum_v2); + "\n"
> let key_name = KEYNAME_SMB_CIFS_enum_v2 + md5(src_ip); --> Error occured here
>}
<HTTP RESPONSE>
>
> const KEY_NAMESPACE = "comb_c2";
>
> if(event == HTTP_RESPONSE)
> updateSessionEntry (Flow.client.ipaddr, Flow.server.ipaddr, HTTP.host);
>
> function updateSessionEntry(src_ip, dst_ip, host){
> let key_name = KEY_NAMESPACE + md5(src_ip + trimmed_uri);
}
Same type of variable but different output.