[Bro] user agent string data enrichment

Azoff, Justin S jazoff at illinois.edu
Thu Jan 5 09:53:32 PST 2017


> On Jan 5, 2017, at 12:03 PM, Kris Secinfo <krissecinfo at gmail.com> wrote:
> 
> All-
> I am new to Bro, and am trying to find a way to "enrich" the user agent string to a more readable format. Is there a way that Bro can read the value that is in the user agent string, compare it to a table of known strings and present the "readable" value in a new field?
> For example, I would want Bro to see
> 
> Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
> 
> and add a new field that reads something to the effect of "Google Chrome Version 55.0.2883.87 m (64-bit)"
> 
> Thanks in advance for any new tips/starting points offered!

There is code that generates the software.log entry that tries to normalize things a bit.  Does the software.log by any chance already contain the result that you want?

-- 
- Justin Azoff





More information about the Bro mailing list