[Bro] Bro script derived off of the referrer

Sam Oehlert soehlert at illinois.edu
Tue Apr 21 09:27:00 PDT 2015


To check a field to see if it's empty, you would use c$http?$referrer

As for input framework stuff:

https://www.bro.org/sphinx-git/scripts/base/frameworks/input/main.bro.html 
(this is for version 2.3)
http://blog.bro.org/2012/06/upcoming-loading-data-into-bro-with.html 
(this blog post is a little older, but I *think* still accurate)

-Sam


On 4/21/15 9:13 AM, Brian Chilton wrote:
> All,
> I am attempting to write a script that will key off of when the 
> referrer is empty.  The problem with that right now is that when I do 
> this I have to use c$http$referrer == "-" which it does not like as an 
> actual value.  Is there another way to do this?  I tried escaping it 
> with a \ but that didn't seem to work either.  Any assistance you and 
> provide would be great.
> also, does anyone know where I can get some more info on the input 
> framework?
> Thanks,
> BC
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150421/bb5725a9/attachment.html 


More information about the Bro mailing list