[Bro] Learning the Bro Scripting Language Part 3 - Detecting basic auth and going from evidence to practical use in Bro

scott runnels srunnels at gmail.com
Fri May 4 12:24:59 PDT 2012

Hi Mattias, 

Thank you!  

Yea, that's definitely a little misleading on my part.  I tried to touch on the fact that "Hey, Bro really does this kind of stuff under the hood!" I actually saw the username getting parsed out when I was dumping the connection getting passed into http_header and sent some colorful language at Seth over IM  :)

I'm hoping to try to get as many posts up as I can think of.  I've been working pretty closely with Seth to make sure that I don't do something 'unbroly', that I stick to the already established conventions, and to make sure I don't go about spreading any misinformation.  It's been a great learning experience.  I'll reiterate what I said the post, "Some day, I'll stop being shocked by everything Bro does and just accept that it's wall-to-wall awesome!"  Kind of hard sometimes, though!

Scott Runnels

On May 4, 2012, at 3:09 PM, Matthias Vallentin wrote:

>> I sent the first post of the series to the mailing list and got a
>> decent response from people who were interested in learning Bro's
>> scripting language.
> Nice work, Scott!
> One small comment: "Three lines of Bro's scripting language and we can
> detect a server using Basic Access Authentication!"
> It's actually just one line [1]:
>    redef HTTP::default_capture_password = T;
> This automatically creates a new column password in the http.log with
> the password value, if available.
> Keep the posts coming!
>    Matthias
> [1] http://git.bro-ids.org/bro.git/blob/HEAD:/scripts/base/protocols/http/main.bro#l233

More information about the Bro mailing list