[Bro] Bro scripts

Matthias Vallentin vallentin at icir.org
Thu Oct 28 17:59:36 PDT 2010

> I'm doing work on Bro's policy scripts for the next release and I want
> to find policy scripts floating around that can be shared and any
> helpful code snippets.  Anything you can contribute would be greatly
> appreciated, thanks!

The whole buzz about Firesheep caused me to hack up a sidejacking
detector. I haven't tested it because I literally wrote it 5 minutes


Here is the code:

    @load http-request
    @load http-reply

    module HTTP;

        redef enum Notice += { CookieReuse };

        # Number of cookies per client.
        const max_cookies = 1 &redef;

        # The time after when we expiring entries.
        const cookie_expiration = 1 hr &redef;

    # Count the number of cookies per client.
    global cookies: table[string] of set[addr] &write_expire = cookie_expiration;

    event http_header(c: connection, is_orig: bool, name: string, value: string)
        # We are only looking for session IDs in the client cookie header.
        if (! (is_orig && name == /[cC][oO][oO][kK][iI][eE]/))

        local client = c$id$orig_h;
        if (value !in cookies)
            cookies[value] = set();
            add cookies[value][client];

        if (|cookies[value]| <= max_cookies)

        local s = lookup_http_request_stream(c);
        NOTICE([$note=CookieReuse, $src=client,
                $msg=fmt("potential sidejacking by %s: cookie used by %d addresses",
                client, |cookies[value]|)]);

More information about the Bro mailing list