[Bro] Bro script derived off of the referrer

Sam Oehlert soehlert at illinois.edu
Tue Apr 21 09:27:00 PDT 2015

To check a field to see if it's empty, you would use c$http?$referrer

As for input framework stuff:

(this is for version 2.3)
(this blog post is a little older, but I *think* still accurate)


On 4/21/15 9:13 AM, Brian Chilton wrote:
> All,
> I am attempting to write a script that will key off of when the 
> referrer is empty.  The problem with that right now is that when I do 
> this I have to use c$http$referrer == "-" which it does not like as an 
> actual value.  Is there another way to do this?  I tried escaping it 
> with a \ but that didn't seem to work either.  Any assistance you and 
> provide would be great.
> also, does anyone know where I can get some more info on the input 
> framework?
> Thanks,
> BC
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150421/bb5725a9/attachment.html 

More information about the Bro mailing list