Scripting Question

I've written the attached scripts, and for some reason the event
http_all_headers or http_request doesn't seem to be firing. I've
tried a couple different pcaps to test on, tried using
HTTP::http_all_headers as the event, and now I'm pretty much out of

In httpsetup.bro it's a simple event that sets c$http$method so I can
use this elsewhere.

in suspicious_post.bro I have a basic set of rules to look at some
POST behavior, but the only thing that seems to fire is the init_bro
(I used a print statmet to test as I haven't fully figured out -d). I
also have what

I'm running bro -r test.pcap ./suspicious_post.bro and everything
seems to load ok. I even tried loading via local.bro and running it
as part of the daemonized process, but that doesn't fire even after I
generate traffic that I know one of the cases _should_ fire on. Any
thoughts or information on what I'm doing wrong would be appreciated.


suspicious_post.bro (1.62 KB)

httpsetup.bro (262 Bytes)

Mike, did you try adding the -C option? (no-checksums)
I had something similar happen to me. It’s worth a try.