bro scripting issue

Hello,

I am trying to learn bro programming language and as an exercise, was attempting to convert this cli one liner,

bro-cut id.orig_h id.resp_h method host referrer < http.log | awk ‘$3 ~/POST/ && $5 !~/[a-zA-Z]/ {print $2"\t"$4}’ | sort -u

into the following code:

module HTTP;

export {

const http_resp_whitelist = set(“otf.msn.com”, “www.bing.com”);

}

event http_header(c: connection, is_orig: bool, name:string, value:string) {

if (c$http$method == “POST” && c$http?$referrer == F && name == “HOST” && c$http$host ! in http_resp_whitelist) {
print fmt("%s, %s", c$id$resp_h, c$http$host);

}
}

my objective is to print http posts with no referrers and have a whitelist that includes search engines and other sites i’ll add later. Though it works for the one pcap I originally wrote it for, it does not work for other ones, still printing http posts whether they have a referrer or not. is name = “HOST” necessary? When I remove it, it gives me the field value missing error. If anyone could point me in the right direction, it would be appreciated. Again, any critiques or recommendations would be appreciated. Thank you.

Matias

Have you tried putting the referer field existence check in its own if statement before you check the values of anything else?

-AK

I believe the problem here is that the ‘http_header’ event is called for every http header. Depending on when “referrer” gets processed, c$http?$referrer may very well not exist for the connection yet.

You may want to use http_all_headers instead.

-Dop