[Bro] bro scripting issue
anthony kasza
anthony.kasza at gmail.com
Mon Sep 19 12:59:49 PDT 2016
Have you tried putting the referer field existence check in its own if
statement before you check the values of anything else?
-AK
On Sep 19, 2016 3:40 PM, "Matias Davaro" <matiasdavaro at gmail.com> wrote:
Hello,
I am trying to learn bro programming language and as an exercise, was
attempting to convert this cli one liner,
bro-cut id.orig_h id.resp_h method host referrer < http.log | awk '$3
~/POST/ && $5 !~/[a-zA-Z]/ {print $2"\t"$4}' | sort -u
into the following code:
module HTTP;
export {
const http_resp_whitelist = set("otf.msn.com", "www.bing.com");
}
event http_header(c: connection, is_orig: bool, name:string, value:string) {
if (c$http$method == "POST" && c$http?$referrer == F && name == "HOST" &&
c$http$host ! in http_resp_whitelist) {
print fmt("%s, %s", c$id$resp_h, c$http$host);
}
}
my objective is to print http posts with no referrers and have a whitelist
that includes search engines and other sites i'll add later. Though it
works for the one pcap I originally wrote it for, it does not work for
other ones, still printing http posts whether they have a referrer or not.
is name = "HOST" necessary? When I remove it, it gives me the field value
missing error. If anyone could point me in the right direction, it would be
appreciated. Again, any critiques or recommendations would be appreciated.
Thank you.
Matias
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160919/c16966f7/attachment.html
More information about the Bro
mailing list