[Bro] bro scripting issue

anthony kasza anthony.kasza at gmail.com
Mon Sep 19 12:59:49 PDT 2016

Have you tried putting the referer field existence check in its own if
statement before you check the values of anything else?


On Sep 19, 2016 3:40 PM, "Matias Davaro" <matiasdavaro at gmail.com> wrote:


I am trying to learn  bro programming language and as an exercise, was
attempting to convert this cli one liner,

bro-cut id.orig_h id.resp_h method host referrer < http.log | awk '$3
~/POST/ && $5 !~/[a-zA-Z]/ {print $2"\t"$4}' | sort -u

into the following code:

module HTTP;

export {

const http_resp_whitelist = set("otf.msn.com", "www.bing.com");


event http_header(c: connection, is_orig: bool, name:string, value:string) {
  if (c$http$method == "POST" && c$http?$referrer == F && name == "HOST" &&
c$http$host ! in http_resp_whitelist) {
      print fmt("%s, %s", c$id$resp_h,  c$http$host);


my objective is to print http posts with no referrers and have a whitelist
that includes search engines and other sites i'll add later. Though it
works for the one  pcap I originally wrote it for, it does not work for
other ones, still printing http posts whether they have a referrer or not.
is name = "HOST" necessary? When I remove it, it gives me the field value
missing error. If anyone could point me in the right direction, it would be
appreciated. Again, any critiques or recommendations would be appreciated.
Thank you.


Bro mailing list
bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160919/c16966f7/attachment.html 

More information about the Bro mailing list