bro script looking for hacker keywords


I’m trying to write a bro script that would alert me whenever certain hacker keywords are seen in the http traffic.

I found a bro script that captures the POST content and modified it a bit to check for the keywords.

module HTTP;

export {

The number of bytes that will be included in the http

log from the client body.

const post_body_limit = 1024;

redef record Info += {
post_body: string &log &optional;
redef enum Notice::Type += {

event http_entity_data(c: connection, is_orig: bool, length: count, data: string)
if ( is_orig && Site::is_local_addr(c$id$resp_h) && !(Site::is_local_addr(c$id$orig_h)) )
if (/KEYWORDS TO MATCH/ in data )
$msg=fmt("%s maybe attempting to access/upload hack file on %s. data: %s", c$id$orig_h,c$id$resp_h , data),
$sub=“Hack keyword match”,

if ( ! c$http?$post_body )
c$http$post_body = sub_bytes(data, 0, post_body_limit);
else if ( |c$http$post_body| < post_body_limit )
c$http$post_body = string_cat(c$http$post_body, sub_bytes(data, 0, post_body_limit-|c$http$post_body|));

I do see some positive alerts when hackers try to bruteforce a login with passwords that match the keywords list, but I’m getting some false positives when the http response is gzip encoded. Is there a function that would decode the data, or another event I could use to achieve this…