All,
I am attempting to write a script that will key off of when the referrer is empty. The problem with that right now is that when I do this I have to use c$http$referrer == “-” which it does not like as an actual value. Is there another way to do this? I tried escaping it with a \ but that didn’t seem to work either. Any assistance you and provide would be great.
also, does anyone know where I can get some more info on the input framework?
Thanks,
BC
To check a field to see if it’s empty, you would use c$http?$referrer
As for input framework stuff:
https://www.bro.org/sphinx-git/scripts/base/frameworks/input/main.bro.html (this is for version 2.3)
http://blog.bro.org/2012/06/upcoming-loading-data-into-bro-with.html (this blog post is a little older, but I think still accurate)
-Sam
Be sure to use the correct HTTP event, too. You don’t want to check for the referer before Bro has had a chance to add it to the connection object.
-AK
There also is https://www.bro.org/sphinx/frameworks/input.html, which is
probably the best starting point.
Johanna