[Bro] [bro] intel framework

Azoff, Justin S jazoff at illinois.edu
Mon Jul 18 05:16:33 PDT 2016


> On Jul 18, 2016, at 2:42 AM, anthony kasza <anthony.kasza at gmail.com> wrote:
> 
> This should work:
> 
> https://github.com/bro/bro/blob/master/scripts/policy/frameworks/intel/seen/http-url.bro
> 
> The Intel frameworks works on a plugin system. You should be able to add some protocol fields by writing a new scripts if what you need isn't already there.

That is close, but won't work for this.  the http-url script uses 

    $indicator=HTTP::build_url(c$http)

build_url basically does host + uri with some extra smarts for all the edge cases.

To have the intel framework just flag the path, you would need a variation of that script that only sets the indicator to the path:

event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
	{
	if ( is_orig && c?$http && c$http$?uri)
		Intel::seen([$indicator=c$http$uri),
		             $indicator_type=Intel::URL,
		             $conn=c,
		             $where=HTTP::IN_URL]);
	}

You may need/want to remove any query string at the end of the path.

I don't think using Intel::URL for something that is not really a URL will cause a problem, but it is slightly confusing :-)  If you do not want that you  can add a new intel type called URL_PATH.

-- 
- Justin Azoff





More information about the Bro mailing list