[Bro-Dev] HTTP Sensitive POST bro policy

Siwek, Jonathan Luke jsiwek at illinois.edu
Wed Apr 30 11:15:49 PDT 2014


On Apr 30, 2014, at 12:18 PM, Jim Mellander <jmellander at lbl.gov> wrote:

> For a number of reasons, I elected to write the attached bro policy, which looks at http POSTs and performs regular expression matching on the posted data.

Thanks for sharing.

> Kudos to the first person who finds the minor inconsistency that I elected not to address.

Maybe not what you were referring to, but I had two concerns:

(1) “connection_end” doesn’t seem to be a defined event, maybe it's meant to be “connection_state_remove”.

(2) Having the global “POST_entities” and “POST_requests” tables without &read_expire (or another expiry attribute) makes me nervous.  Though I think the clean up in “http_end_entity” should catch everything, if it doesn’t, that will lead to memory usage issues over time (especially since “connection_end” won’t be a cleanup safety net as intended).

- Jon


More information about the bro-dev mailing list