Vikram Basu vikrambasu059 at gmail.com
Tue Sep 12 04:28:38 PDT 2017

I have made a sample Bro script after looking into the ssn-exposure and credit-card-exposure scripts. But I am getting error 
“{"ts":1505214009.989112,"level":"Reporter::ERROR","message":"string without NUL terminator: \u0022CONFIDENTIAL\u005cx0a\u0022","location":""}” in reporter.log

How would I fix this ?



Here is the script

#Keyword Matching Basic script
@load base/frameworks/notice

module KeywordMatch;

export {
    ## Keyword Matching Log ID definition
    redef enum Log::ID += { LOG };
    redef enum Notice::Type += {
    type Info: record {
        ts:     time    &log;
        uid:    string  &log;
        id:     conn_id &log;
        word:   string  &log &optional;
        data:   string  &log;
    ## The Keyword that is being matched
    const keyword = "CONFIDENTIAL" &redef;

event bro_init() &priority=5 
    Log::create_stream(KeywordMatch::LOG, [$columns=Info]);

function check_keyword(c: connection, data: string): bool
    local it_matched = F;
    if ( keyword in data )
        it_matched = T;

    if ( it_matched )
        local log: Info = [$ts=network_time(),
                            $uid=c$uid, $id=c$id,
                            $word=keyword, $data=data];
        Log::write(KeywordMatch::LOG, log);
                $msg=fmt("Keyword Matched %s",keyword),

        return T;
    return F;

event KeywordMatch::stream_data(f: fa_file, data: string)
    local c: connection;
    for ( id in f$conns )
        c = f$conns[id];
    if ( c$start_time > network_time()-20secs )
        check_keyword(c, data);

event file_new (f: fa_file)
    if ( f$source =="HTTP" )
        Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT, 

Is it possible for Bro to perform keyword matching on document files (such as text, open office, pdf etc.) and generate notices when the keyword is found.


Vikram Basu

