[Bro] Learning the Bro Scripting Language Part 3 - Detecting basic auth and going from evidence to practical use in Bro
scott runnels
srunnels at gmail.com
Fri May 4 12:24:59 PDT 2012
Hi Mattias,
Thank you!
Yea, that's definitely a little misleading on my part. I tried to touch on the fact that "Hey, Bro really does this kind of stuff under the hood!" I actually saw the username getting parsed out when I was dumping the connection getting passed into http_header and sent some colorful language at Seth over IM :)
I'm hoping to try to get as many posts up as I can think of. I've been working pretty closely with Seth to make sure that I don't do something 'unbroly', that I stick to the already established conventions, and to make sure I don't go about spreading any misinformation. It's been a great learning experience. I'll reiterate what I said the post, "Some day, I'll stop being shocked by everything Bro does and just accept that it's wall-to-wall awesome!" Kind of hard sometimes, though!
v/r
Scott Runnels
On May 4, 2012, at 3:09 PM, Matthias Vallentin wrote:
>> I sent the first post of the series to the mailing list and got a
>> decent response from people who were interested in learning Bro's
>> scripting language.
>
> Nice work, Scott!
>
> One small comment: "Three lines of Bro's scripting language and we can
> detect a server using Basic Access Authentication!"
>
> It's actually just one line [1]:
>
> redef HTTP::default_capture_password = T;
>
> This automatically creates a new column password in the http.log with
> the password value, if available.
>
> Keep the posts coming!
>
> Matthias
>
> [1] http://git.bro-ids.org/bro.git/blob/HEAD:/scripts/base/protocols/http/main.bro#l233
More information about the Bro
mailing list