[Bro] bro scripting issue
Matias Davaro
matiasdavaro at gmail.com
Mon Sep 19 12:31:59 PDT 2016
Hello,
I am trying to learn bro programming language and as an exercise, was
attempting to convert this cli one liner,
bro-cut id.orig_h id.resp_h method host referrer < http.log | awk '$3
~/POST/ && $5 !~/[a-zA-Z]/ {print $2"\t"$4}' | sort -u
into the following code:
module HTTP;
export {
const http_resp_whitelist = set("otf.msn.com", "www.bing.com");
}
event http_header(c: connection, is_orig: bool, name:string, value:string) {
if (c$http$method == "POST" && c$http?$referrer == F && name == "HOST" &&
c$http$host ! in http_resp_whitelist) {
print fmt("%s, %s", c$id$resp_h, c$http$host);
}
}
my objective is to print http posts with no referrers and have a whitelist
that includes search engines and other sites i'll add later. Though it
works for the one pcap I originally wrote it for, it does not work for
other ones, still printing http posts whether they have a referrer or not.
is name = "HOST" necessary? When I remove it, it gives me the field value
missing error. If anyone could point me in the right direction, it would be
appreciated. Again, any critiques or recommendations would be appreciated.
Thank you.
Matias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160919/f08d16ce/attachment.html
More information about the Bro
mailing list