[Bro] Help with http_entity_data script

scottie jwillie4020 at gmail.com
Thu Dec 5 20:29:07 PST 2013

I have this script:

event http_entity_data(c: connection, is_orig: bool, length: count,
data: string)
   if ( c$http$method == "GET" &&  /\.seek\.com\.au/ in c$http$host &&
/^\/Jobsearch\?=/ in c$http$uri )
       print fmt("%s", c$http$host);

It doesn't print anything running this command:
bro -r seek.pcap seek.bro
All i get back is a whole bunch of these(bro 2.1):
ERROR: 1386300192.418090 field value missing [c$http$method]
(./seek.bro, line 4)

If i run the same command on my local box(bro 2.2) i get a whole bunch
of these:
1386301933.432853 expression error in ./seek.bro, line 4: field value
missing [c$http$method]

If i remove the first bit of the if statement "c$http$method == "GET"
&&" i still get errors:
ERROR: 1386300192.418090 field value missing [c$http$host] (./seek.bro,
line 4)

If i just run it through bro with:
bro -r seek.pcap local.bro

In the http.log its missing the method, host, uri, referrer, and
user_agent, even though the method, host and uri are clearly in the pcap:
1386301933.281650       CJa1U94yRhXVPIdPde     44393    80      0       -       -       -       -       -      
0       235     302     Found   -       -       -       (empty) -      
-  --       -       FYPqLs2ezZWfT428fi      text/html

Been stuck on this for a while, any ideas?   
I've been using Scott Runnels Youtube tutorial for reference:

Here's the pcap if you need to try to replicate it:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131206/67eda8c2/attachment.html 

More information about the Bro mailing list