I have this script:
event http_entity_data(c: connection, is_orig: bool, length: count, data: string)
{
if ( c$http$method == “GET” && /.seek.com.au/ in c$http$host && /^/Jobsearch?=/ in c$http$uri )
{
print fmt("%s", c$http$host);
}
}
It doesn’t print anything running this command:
bro -r seek.pcap seek.bro
All i get back is a whole bunch of these(bro 2.1):
ERROR: 1386300192.418090 field value missing [c$http$method] (./seek.bro, line 4)
If i run the same command on my local box(bro 2.2) i get a whole bunch of these:
1386301933.432853 expression error in ./seek.bro, line 4: field value missing [c$http$method]
If i remove the first bit of the if statement “c$http$method == “GET” &&” i still get errors:
ERROR: 1386300192.418090 field value missing [c$http$host] (./seek.bro, line 4)
If i just run it through bro with:
bro -r seek.pcap local.bro
In the http.log its missing the method, host, uri, referrer, and user_agent, even though the method, host and uri are clearly in the pcap:
1386301933.281650 CJa1U94yRhXVPIdPde 10.1.40.137 44393 202.58.38.95 80 0 - - - - - 0 235 302 Found - - - (empty) - - – - FYPqLs2ezZWfT428fi text/html
Been stuck on this for a while, any ideas?
I’ve been using Scott Runnels Youtube tutorial for reference: http://ryesecurity.blogspot.com.au/2013/01/logging-youtube-titles-with-bro-1-its.html
Here’s the pcap if you need to try to replicate it:
https://www.dropbox.com/s/tndo4cahlp7lq66/seek.pcap
Scott