dnj0496 at gmail.com
Fri Jun 9 21:21:25 PDT 2017
I am trying to solve a problem, where I am analyzing some http traffic
using bro. To limit the bro log sizes, I want to capture only those http
events which which have certain string patterns in their bodies. The string
patterns will be unique for each host + uri pair. I am putting this info a
file host, uri, regex in a file and loading it into bro using file input
framework. I want to apply the regex on the http body if the host and uri
matches. When I try to use to search the body using:
find_all(body, string_to_pattern(regex_string_from_file, T));
I get some very weird behavior. The code in the entire block after
string_to_pattern statement is not executed (and I don't get any error).
This happens when I run it on command line against a pcap.
To understand the problem better, I tried reproduce the problem on
try.bro.org. I get the following error when I use string_to_pattern in my
script on the try.bro.org website. Would like to understand the reason
behind this restriction? Also, Would like to know there any alternative
solutions I can pursue to solve my problem? Any help is appreciated. Thanks.
1320279566.452687 error in ././trybro.bro, line 17: string_to_pattern
can only be called at init time (string_to_pattern(Hello, World, T))
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro