[Bro] Script Question
Seth Hall
seth at icir.org
Tue Feb 21 09:48:23 PST 2012
On Feb 21, 2012, at 10:34 AM, Mike Sconzo wrote:
> Another question, is there a way to force (enable) headers to be
> matched in a case sensitive way?
Yeah, this has always bothered me a little bit too. I'd like to change that for 2.1, we have some other changes that we are already planning on making to the HTTP analyzer for 2.1 anyway and we can work this in there. (in other words, no, with 2.0 you are stuck with upper-cased header names unless you change the HTTP analyzer in the core and rebuild)
> I've been working on some
> passive identification of browsers so I can ask the question of "what
> browser tells me it's msie via the user-agent string, but doesn't
> behave like it".
Awesome! Have you checked out my script to detect browsers by the headers they send and the order they send them? Feel free to take any code from that script if it helps you with your browser detection.
https://github.com/sethhall/bro_scripts/blob/master/testing/http-watch-header-order.bro
> With my current implentation I've got about a 72%
> accuracy/detection rate
Cool, which detection techniques you have implemented so far?
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list