[Bro] Reporting problem in http_header event
Sanmeet Bhatia
sanmeetkbhatia at gmail.com
Wed Apr 30 02:02:45 PDT 2008
Dear sir,
I have found a bug in the event called http_header. The value : string it
returns has a space at the beginning. Like "www.yahoo.com" will be
returned as " www.yahoo.com".
I am posting You a script where I found it
@load weird
@load alarm
@load http
global path: string;
global urls: set[string] ={"www.yahoo.com","mail.google.com","www.ieee.org
","www.youtube.com","www.bro-ids.org"} ;
global shanz_log = open_log_file("http") &redef;
redef ignore_checksums = T;
event http_request(c: connection, method: string, original_URI: string,
unescaped_URI: string, version: string)
{
path = original_URI;
}
event http_header(c: connection, is_orig: bool, name: string, value: string)
{
if(name == "HOST" )
{
local v = edit(value," ");
if( v in urls)
{
print shanz_log,
fmt("%s:%s->%s:%s",c$id$orig_h,c$id$orig_p,c$id$resp_h,c$id$resp_p);
}
}
}
If I simply compare the value it doesn't match. or even if I print the value
its printing with one whitespace prefixed at the beginning.
Regards,
Sanmeet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080430/3cd99b7d/attachment.html
More information about the Bro
mailing list