[Bro-Dev] HTTP Sensitive POST bro policy
Siwek, Jonathan Luke
jsiwek at illinois.edu
Wed Apr 30 11:15:49 PDT 2014
On Apr 30, 2014, at 12:18 PM, Jim Mellander <jmellander at lbl.gov> wrote:
> For a number of reasons, I elected to write the attached bro policy, which looks at http POSTs and performs regular expression matching on the posted data.
Thanks for sharing.
> Kudos to the first person who finds the minor inconsistency that I elected not to address.
Maybe not what you were referring to, but I had two concerns:
(1) “connection_end” doesn’t seem to be a defined event, maybe it's meant to be “connection_state_remove”.
(2) Having the global “POST_entities” and “POST_requests” tables without &read_expire (or another expiry attribute) makes me nervous. Though I think the clean up in “http_end_entity” should catch everything, if it doesn’t, that will lead to memory usage issues over time (especially since “connection_end” won’t be a cleanup safety net as intended).
More information about the bro-dev