[Bro] Bro script derived off of the referrer
anthony kasza
anthony.kasza at gmail.com
Tue Apr 21 10:44:03 PDT 2015
Be sure to use the correct HTTP event, too. You don't want to check for the
referer before Bro has had a chance to add it to the connection object.
-AK
On Apr 21, 2015 9:44 AM, "Sam Oehlert" <soehlert at illinois.edu> wrote:
> To check a field to see if it's empty, you would use c$http?$referrer
>
> As for input framework stuff:
>
> https://www.bro.org/sphinx-git/scripts/base/frameworks/input/main.bro.html
> (this is for version 2.3)
> http://blog.bro.org/2012/06/upcoming-loading-data-into-bro-with.html
> (this blog post is a little older, but I *think* still accurate)
>
> -Sam
>
>
> On 4/21/15 9:13 AM, Brian Chilton wrote:
>
> All,
>
> I am attempting to write a script that will key off of when the referrer
> is empty. The problem with that right now is that when I do this I have to
> use c$http$referrer == "-" which it does not like as an actual value. Is
> there another way to do this? I tried escaping it with a \ but that didn't
> seem to work either. Any assistance you and provide would be great.
>
> also, does anyone know where I can get some more info on the input
> framework?
>
> Thanks,
>
> BC
>
>
> _______________________________________________
> Bro mailing listbro at bro-ids.orghttp://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150421/df27e53d/attachment.html
More information about the Bro
mailing list