[Bro] Script Question

Mike Sconzo sconzo at visiblerisk.com
Tue Feb 21 07:34:39 PST 2012 

| This create a log record for each header. Is that what you want? Or would you
| like to record HTTP headers for each request/reply in a single line?

Yeah, this was done more to figure out what was going on and to wrap
my head around the syntax

| You could inserting bare print statements and then running the script on a
| small trace using just the Bro binary, e.g.,
|
|    bro -r your_trace your_script
|
| and observe the output on STDOUT.
|
| I did include the log attribute, I'll conquer that next.  More
questions first.

This was just what I needed, thanks!

I did include the  &log attribute, but I still have no actual clue
what I'm doing.  The price of learning.

Another question, is there a way to force (enable) headers to be
matched in a case sensitive way?
In other words I'm interested in "normal" looking headers.  Accept: is
pretty standard accross browser implementation where as accept: or
ACCEPT are outliers.  I noticed when I print the headers they are all
uc'd, didnt know if there was a way around this.

Reason behind all of these odd questions.  I've been working on some
passive identification of browsers so I can ask the question of "what
browser tells me it's msie via the user-agent string, but doesn't
behave like it".  With my current implentation I've got about a 72%
accuracy/detection rate, however it's currently implemented in another
product (commercial) that not everybody can afford. So I figured I'd
port it over and learn bro in the process so I could give it back to
the community.

Thanks for putting up with the questions.

-=Mike



On Mon, Feb 20, 2012 at 8:03 PM, Seth Hall <seth at icir.org> wrote:
>
> On Feb 20, 2012, at 4:41 PM, Mike Sconzo wrote:
>
>> I'm still trying to get a handle on script writing, but I have a
>> question on one of the events.
>
>
> You may need to send along more of the script for use to help debug it.  One thought I have though, is did you make sure and include the &log attribute on the record type that you are logging?
>
>  .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>



-- 
cat ~/.bash_history > documentation.txt

More information about the Bro mailing list