[Bro] Help with http_entity_data script
scottie
jwillie4020 at gmail.com
Thu Dec 5 20:29:07 PST 2013
I have this script:
event http_entity_data(c: connection, is_orig: bool, length: count,
data: string)
{
if ( c$http$method == "GET" && /\.seek\.com\.au/ in c$http$host &&
/^\/Jobsearch\?=/ in c$http$uri )
{
print fmt("%s", c$http$host);
}
}
It doesn't print anything running this command:
bro -r seek.pcap seek.bro
All i get back is a whole bunch of these(bro 2.1):
ERROR: 1386300192.418090 field value missing [c$http$method]
(./seek.bro, line 4)
If i run the same command on my local box(bro 2.2) i get a whole bunch
of these:
1386301933.432853 expression error in ./seek.bro, line 4: field value
missing [c$http$method]
If i remove the first bit of the if statement "c$http$method == "GET"
&&" i still get errors:
ERROR: 1386300192.418090 field value missing [c$http$host] (./seek.bro,
line 4)
If i just run it through bro with:
bro -r seek.pcap local.bro
In the http.log its missing the method, host, uri, referrer, and
user_agent, even though the method, host and uri are clearly in the pcap:
1386301933.281650 CJa1U94yRhXVPIdPde 10.1.40.137 44393
202.58.38.95 80 0 - - - - -
0 235 302 Found - - - (empty) -
- -- - FYPqLs2ezZWfT428fi text/html
Been stuck on this for a while, any ideas?
I've been using Scott Runnels Youtube tutorial for reference:
http://ryesecurity.blogspot.com.au/2013/01/logging-youtube-titles-with-bro-1-its.html
Here's the pcap if you need to try to replicate it:
https://www.dropbox.com/s/tndo4cahlp7lq66/seek.pcap
Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131206/67eda8c2/attachment.html
More information about the Bro
mailing list