[Bro] user agent string data enrichment
Azoff, Justin S
jazoff at illinois.edu
Thu Jan 5 09:53:32 PST 2017
> On Jan 5, 2017, at 12:03 PM, Kris Secinfo <krissecinfo at gmail.com> wrote:
> I am new to Bro, and am trying to find a way to "enrich" the user agent string to a more readable format. Is there a way that Bro can read the value that is in the user agent string, compare it to a table of known strings and present the "readable" value in a new field?
> For example, I would want Bro to see
> Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
> and add a new field that reads something to the effect of "Google Chrome Version 55.0.2883.87 m (64-bit)"
> Thanks in advance for any new tips/starting points offered!
There is code that generates the software.log entry that tries to normalize things a bit. Does the software.log by any chance already contain the result that you want?
- Justin Azoff
More information about the Bro