Bro script derived off of the referrer


I am attempting to write a script that will key off of when the referrer is empty. The problem with that right now is that when I do this I have to use c$http$referrer == “-” which it does not like as an actual value. Is there another way to do this? I tried escaping it with a \ but that didn’t seem to work either. Any assistance you and provide would be great.

also, does anyone know where I can get some more info on the input framework?



To check a field to see if it’s empty, you would use c$http?$referrer

As for input framework stuff: (this is for version 2.3) (this blog post is a little older, but I think still accurate)


Be sure to use the correct HTTP event, too. You don’t want to check for the referer before Bro has had a chance to add it to the connection object.


There also is, which is
probably the best starting point.