[Bro] Script Question
Mike Sconzo
sconzo at visiblerisk.com
Tue Feb 21 07:34:39 PST 2012
| This create a log record for each header. Is that what you want? Or would you
| like to record HTTP headers for each request/reply in a single line?
Yeah, this was done more to figure out what was going on and to wrap
my head around the syntax
| You could inserting bare print statements and then running the script on a
| small trace using just the Bro binary, e.g.,
|
| bro -r your_trace your_script
|
| and observe the output on STDOUT.
|
| I did include the log attribute, I'll conquer that next. More
questions first.
This was just what I needed, thanks!
I did include the &log attribute, but I still have no actual clue
what I'm doing. The price of learning.
Another question, is there a way to force (enable) headers to be
matched in a case sensitive way?
In other words I'm interested in "normal" looking headers. Accept: is
pretty standard accross browser implementation where as accept: or
ACCEPT are outliers. I noticed when I print the headers they are all
uc'd, didnt know if there was a way around this.
Reason behind all of these odd questions. I've been working on some
passive identification of browsers so I can ask the question of "what
browser tells me it's msie via the user-agent string, but doesn't
behave like it". With my current implentation I've got about a 72%
accuracy/detection rate, however it's currently implemented in another
product (commercial) that not everybody can afford. So I figured I'd
port it over and learn bro in the process so I could give it back to
the community.
Thanks for putting up with the questions.
-=Mike
On Mon, Feb 20, 2012 at 8:03 PM, Seth Hall <seth at icir.org> wrote:
>
> On Feb 20, 2012, at 4:41 PM, Mike Sconzo wrote:
>
>> I'm still trying to get a handle on script writing, but I have a
>> question on one of the events.
>
>
> You may need to send along more of the script for use to help debug it. One thought I have though, is did you make sure and include the &log attribute on the record type that you are logging?
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
--
cat ~/.bash_history > documentation.txt
More information about the Bro
mailing list