[Bro] Duqu script

Jan Grashofer jan.grashofer at cern.ch
Fri Nov 27 04:10:04 PST 2015

Hi Zied,

while mime_types was a string, resp_mime_types is a vector of strings. If I am not mistaken it contains all matching mime types ordered by probability. Unfortunately I am not able to find proof for this in the documentation. However, to fix your issue you could loop through the vector or just use the first element resp_mime_types[0].

Best regards,


From: bro-bounces at bro.org [bro-bounces at bro.org] on behalf of Zied Turki [zied.turki at outlook.com]
Sent: Friday, November 27, 2015 11:54
To: bro at bro.org
Subject: [Bro] Duqu script

Dear all,

I tried to test the bro script to log the Duqu attack published through Github.  The broctl check failed and here below the output :

"error in /usr/local/bro/share/bro/policy/bro-scripts/duqu.bro, line 81: no such field in record (HTTP::c$http$mime_types)"

I've understood that $mime_type has changed in the new bro version and I've tried to change it in the script with "resp_mime_types" . Here below the new output :

error in /usr/local/bro/share/bro/base/protocols/http/./entities.bro, line 27 and /usr/local/bro/share/bro/policy/bro-scripts/duqu.bro, line 81: pattern requires string index (vector of string and /^?(image\/jpeg)$?/)

I am new to bro scripts. Please, I need your help to understand how to manage this kind of errors. Anyone could help please ?

Please find below the link to the original script :

Many thanks,


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151127/a338622e/attachment.html 

More information about the Bro mailing list