[Bro] Learning the Bro Scripting Language Part 3 - Detecting basic auth and going from evidence to practical use in Bro
Matthias Vallentin
vallentin at icir.org
Fri May 4 12:39:50 PDT 2012
> I'm hoping to try to get as many posts up as I can think of.
Terrific!
> I've been working pretty closely with Seth to make sure that I don't
> do something 'unbroly', that I stick to the already established
> conventions, and to make sure I don't go about spreading any
> misinformation.
For sure, you're on the safe path with Seth on your side :-). Speaking
of conventions, one additional Bro idiom comes to mind. Maybe that's
already clear to you, even better then.
As you may have noticed, there are several boolean indicator flags in
the connection record. This introduces a new idiom: selectively enabling
or disabling certain analyses on a *per-connection basis*. For example,
you may only want to exclude logging passwords of users from a specific
subnet. All that this requires is setting HTTP::capture_password to true
for connections that do not originate from the corresponding subnet (or
if the reverse is easier, setting it to false for that specific subnet).
Matthias
More information about the Bro
mailing list