Hello ,all:
I am a newbie, I’ve enabled policy/protocols/http/detect-webapps in local.bro and prepared a redmine test site,
bro can successful detect this type of web app,in software.log I can see:
1386139178.321119 192.168.1.2 80 HTTP::WEB_APPLICATION Redmine - - - - - Redmine http://redmine.example.com/
Now I want to detect web app by Chinese chars , I’ve tried to add utf-8 characters in detect-webapp.sig ,but could not get bro work.
how can I achieve that goal ?
thanks.
Unfortunately Bro doesn't have any form of unicode support yet (we've been talking about this for quite some time but haven't converged on anything quite yet). What you will have to do is expand the unicode characters you're hoping to match into it's constituent bytes. So your signature payload may look like this…
payload /test\xF0\x9F\x92\xA9test/
It's certainly less than ideal, but does that work for you for now?
.Seth
Unfortunately Bro doesn't have any form of unicode support yet (we've been
talking about this for quite some time but haven't converged on anything
quite yet). What you will have to do is expand the unicode characters
you're hoping to match into it's constituent bytes. So your signature
payload may look like this…payload /test\xF0\x9F\x92\xA9test/
It's certainly less than ideal, but does that work for you for now?
Hi ,Seth ,thanks for your quick reply , the constituent bytes format works
for me now! but I get into another problem:
when I turn off gzip in nginx.conf , bro works fine, but when turn on gzip,
bro seems not work.
how could bro unzip the html content before apply the payload ? thank.
We have a specialized keyword for checking patterns in HTTP payloads. It was decode the content prior to matching.
http-reply-body /test\xF0\x9F\x92\xA9test/
.Seth