[Bro] Scripting Question
Mike Sconzo
sconzo at visiblerisk.com
Thu May 10 21:12:12 PDT 2012
I've written the attached scripts, and for some reason the event
http_all_headers or http_request doesn't seem to be firing. I've
tried a couple different pcaps to test on, tried using
HTTP::http_all_headers as the event, and now I'm pretty much out of
ideas.
In httpsetup.bro it's a simple event that sets c$http$method so I can
use this elsewhere.
in suspicious_post.bro I have a basic set of rules to look at some
POST behavior, but the only thing that seems to fire is the init_bro
(I used a print statmet to test as I haven't fully figured out -d). I
also have what
I'm running bro -r test.pcap ./suspicious_post.bro and everything
seems to load ok. I even tried loading via local.bro and running it
as part of the daemonized process, but that doesn't fire even after I
generate traffic that I know one of the cases _should_ fire on. Any
thoughts or information on what I'm doing wrong would be appreciated.
Thanks,
-=Mike
--
cat ~/.bash_history > documentation.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suspicious_post.bro
Type: application/octet-stream
Size: 1657 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120510/d7d0bd3a/attachment.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: httpsetup.bro
Type: application/octet-stream
Size: 261 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120510/d7d0bd3a/attachment-0001.obj
More information about the Bro
mailing list