I’m a masters student at the University of Washington and I’m setting up an installation to inform users of a space about digital privacy and teach them about threat modeling by displaying web sites requested in an open wifi network on a few displays. I have an openwrt router using port-mirroring to send a copy of all packets to my linux machine which is running bro to filter the headers and harvest just the source ip, host, uri, and user-agent, but I’m having trouble developing the proper bro code to filter out (ideally) all get requests besides the initial ones when a users clicks a link or types one in the address bar. The solution doesn’t need to be perfect, but I still need to narrow the scope dramatically. The following code is better than nothing, but it doesn’t filter out enough.
I have a python script extracting the urls from the sql database and loading a few firefox browsers with a new url every couple of seconds and I want the urls queried to be visually similar to what the page a user requests to highlight the vulnerability of unencrypted traffic. I initially tried to extract the files from http connections and then load the html pages in the browsers, but I can’t seem to resolve the original names of the files appropriately. One suggestion I found was to use Xplico, but I couldn’t get that to work.
I’m new to bro and appreciate any advice you have!