[Bro] Scripting Question
Dalton Porter
daltonporter at yahoo.com
Thu May 10 21:54:52 PDT 2012
Mike, did you try adding the -C option? (no-checksums)
I had something similar happen to me. It's worth a try.
________________________________
From: Mike Sconzo <sconzo at visiblerisk.com>
To: bro at bro-ids.org
Sent: Friday, May 11, 2012 12:12 AM
Subject: [Bro] Scripting Question
I've written the attached scripts, and for some reason the event
http_all_headers or http_request doesn't seem to be firing. I've
tried a couple different pcaps to test on, tried using
HTTP::http_all_headers as the event, and now I'm pretty much out of
ideas.
In httpsetup.bro it's a simple event that sets c$http$method so I can
use this elsewhere.
in suspicious_post.bro I have a basic set of rules to look at some
POST behavior, but the only thing that seems to fire is the init_bro
(I used a print statmet to test as I haven't fully figured out -d). I
also have what
I'm running bro -r test.pcap ./suspicious_post.bro and everything
seems to load ok. I even tried loading via local.bro and running it
as part of the daemonized process, but that doesn't fire even after I
generate traffic that I know one of the cases _should_ fire on. Any
thoughts or information on what I'm doing wrong would be appreciated.
Thanks,
-=Mike
--
cat ~/.bash_history > documentation.txt
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120510/544ac44e/attachment.html
More information about the Bro
mailing list