[Bro] unusual_http_methods.bro script error

ps sunu pssunu6 at gmail.com
Mon Jan 23 13:07:56 PST 2017 

Hi,
              i am using bro 2.5 version and  i tried to compile below code
and its getting
error

@load base/frameworks/notice
@load base/protocols/http
module MozillaUnusualHTTP;
export {
redef enum Notice::Type += {
Interesting_HTTP_Method_Success,
Interesting_HTTP_Method_Fail,
};
redef enum HTTP::Tags += {
HTTP_BAD_METHOD_OK,
HTTP_BAD_METHOD_FAIL,
};
global whitelist_hosts_methods: table[addr, string] of set[subnet] =
table() &redef;
const suspicious_http_methods: set[string] = {
"DELETE", "TRACE", "CONNECT",
"PROPPATCH", "MKCOL", "SEARCH",
"COPY", "MOVE", "LOCK", "UNLOCK",
"POLL", "REPORT", "SUBSCRIBE", "BMOVE"
} &redef;
const monitor_ip_spaces: set[subnet] &redef;
const monitor_ports: set[port] &redef;
const ignore_hosts_orig: set[subnet] &redef;
const ignore_hosts_resp: set[subnet] &redef;
}
event http_reply(c: connection, version: string, code: count, reason: string
)
{
local cluster_client_ip: addr;
if ( ! c?$http )
return;
if ( ! c$http?$method )
return;
if ( c$id$resp_h !in monitor_ip_spaces )
return;
if ( c$id$resp_p !in monitor_ports )
return;
if ( c$id$resp_h in ignore_hosts_resp )
return;
if ( c$id$orig_h in ignore_hosts_orig )
return;
if ( ! c$http?$cluster_client_ip )
cluster_client_ip = c$id$orig_h;
else
cluster_client_ip = to_addr(c$http$cluster_client_ip);
if ( ( c$http?$cluster_client_ip ) && ( to_addr(c$http$cluster_client_ip) in
ignore_hosts_orig ) )
return;
if ( c$http$method ! in suspicious_http_methods )
return;
if ( [c$id$resp_h, c$http$method] in whitelist_hosts_methods ) {
if ( c$id$orig_h in whitelist_hosts_methods[c$id$resp_h, c$http$method] )
return;
if ( cluster_client_ip in whitelist_hosts_methods[c$id$resp_h,
c$http$method] )
return;
} else {
if ( c$http$status_code < 300 ) {
add c$http$tags[HTTP_BAD_METHOD_OK];
NOTICE([$note=Interesting_HTTP_Method_Success,
$msg=fmt("%s successfully used method %s on %s host %s", cluster_client_ip,
c$http$method, c$id$resp_h, c$http$host),
$uid=c$uid,
$id=c$id,
$identifier=cat(c$http$host,c$http$method,cluster_client_ip)]);
} else {
add c$http$tags[HTTP_BAD_METHOD_FAIL];
NOTICE([$note=Interesting_HTTP_Method_Fail,
$msg=fmt("%s failed to used method %s on %s host %s", cluster_client_ip,
c$http$method, c$id$resp_h, c$http$host),
$uid=c$uid,
$id=c$id,
$identifier=cat(c$http$host,c$http$method,cluster_client_ip)]);
}
}
error in /home/binu/bro/bro-findings/bro-gramming/unusual_http_methods.bro,
line 68: no such field in record
(MozillaUnusualHTTP::c$http?$cluster_client_ip) error in
/home/binu/bro/bro-findings/bro-gramming/unusual_http_methods.bro, line 71:
no such field in record (MozillaUnusualHTTP::c$http$cluster_client_ip) error
in string and
/home/binu/bro/bro-findings/bro-gramming/unusual_http_methods.bro, line 71:
type clash (string and MozillaUnusualHTTP::c$http$<error>) error in
/home/binu/bro/bro-findings/bro-gramming/unusual_http_methods.bro, line 71
and string: type mismatch (MozillaUnusualHTTP::c$http$<error> and string) error
in /home/binu/bro/bro-findings/bro-gramming/unusual_http_methods.bro, line
71: argument type mismatch in function call
(to_addr(MozillaUnusualHTTP::c$http$<error>)) error in
/home/binu/bro/bro-findings/bro-gramming/unusual_http_methods.bro, line 72:
no such field in record (MozillaUnusualHTTP::c$http?$cluster_client_ip) error
in /home/binu/bro/bro-findings/bro-gramming/unusual_http_methods.bro, line
72: no such field in record
(MozillaUnusualHTTP::c$http$cluster_client_ip) error
in string and
/home/binu/bro/bro-findings/bro-gramming/unusual_http_methods.bro, line 72:
type clash (string and MozillaUnusualHTTP::c$http$<error>) error in
/home/binu/bro/bro-findings/bro-gramming/unusual_http_methods.bro, line 72
and string: type mismatch (MozillaUnusualHTTP::c$http$<error> and string) error
in /home/binu/bro/bro-findings/bro-gramming/unusual_http_methods.bro, line
72: argument type mismatch in function call
(to_addr(MozillaUnusualHTTP::c$http$<error>))




Regards,
sunu error
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170124/fddd7cc1/attachment-0001.html

More information about the Bro mailing list