[Bro] bro scripting issue
Mike Dopheide
dopheide at gmail.com
Mon Sep 19 13:17:08 PDT 2016
I believe the problem here is that the 'http_header' event is called for
every http header. Depending on when "referrer" gets processed,
c$http?$referrer may very well not exist for the connection yet.
You may want to use http_all_headers instead.
-Dop
On Mon, Sep 19, 2016 at 2:31 PM, Matias Davaro <matiasdavaro at gmail.com>
wrote:
> Hello,
>
> I am trying to learn bro programming language and as an exercise, was
> attempting to convert this cli one liner,
>
> bro-cut id.orig_h id.resp_h method host referrer < http.log | awk '$3
> ~/POST/ && $5 !~/[a-zA-Z]/ {print $2"\t"$4}' | sort -u
>
> into the following code:
>
> module HTTP;
>
> export {
>
> const http_resp_whitelist = set("otf.msn.com", "www.bing.com");
>
> }
>
> event http_header(c: connection, is_orig: bool, name:string, value:string)
> {
> if (c$http$method == "POST" && c$http?$referrer == F && name == "HOST"
> && c$http$host ! in http_resp_whitelist) {
> print fmt("%s, %s", c$id$resp_h, c$http$host);
>
> }
> }
>
> my objective is to print http posts with no referrers and have a whitelist
> that includes search engines and other sites i'll add later. Though it
> works for the one pcap I originally wrote it for, it does not work for
> other ones, still printing http posts whether they have a referrer or not.
> is name = "HOST" necessary? When I remove it, it gives me the field value
> missing error. If anyone could point me in the right direction, it would be
> appreciated. Again, any critiques or recommendations would be appreciated.
> Thank you.
>
>
> Matias
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160919/2848252b/attachment.html
More information about the Bro
mailing list