Hello,
I am trying to learn bro programming language and as an exercise, was attempting to convert this cli one liner,
bro-cut id.orig_h id.resp_h method host referrer < http.log | awk ‘$3 ~/POST/ && $5 !~/[a-zA-Z]/ {print $2"\t"$4}’ | sort -u
into the following code:
module HTTP;
export {
const http_resp_whitelist = set(“otf.msn.com”, “www.bing.com”);
}
event http_header(c: connection, is_orig: bool, name:string, value:string) {
if (c$http$method == “POST” && c$http?$referrer == F && name == “HOST” && c$http$host ! in http_resp_whitelist) {
print fmt("%s, %s", c$id$resp_h, c$http$host);
}
}
my objective is to print http posts with no referrers and have a whitelist that includes search engines and other sites i’ll add later. Though it works for the one pcap I originally wrote it for, it does not work for other ones, still printing http posts whether they have a referrer or not. is name = “HOST” necessary? When I remove it, it gives me the field value missing error. If anyone could point me in the right direction, it would be appreciated. Again, any critiques or recommendations would be appreciated. Thank you.
Matias