I've written the attached scripts, and for some reason the event
http_all_headers or http_request doesn't seem to be firing. I've
tried a couple different pcaps to test on, tried using
HTTP::http_all_headers as the event, and now I'm pretty much out of
ideas.
In httpsetup.bro it's a simple event that sets c$http$method so I can
use this elsewhere.
in suspicious_post.bro I have a basic set of rules to look at some
POST behavior, but the only thing that seems to fire is the init_bro
(I used a print statmet to test as I haven't fully figured out -d). I
also have what
I'm running bro -r test.pcap ./suspicious_post.bro and everything
seems to load ok. I even tried loading via local.bro and running it
as part of the daemonized process, but that doesn't fire even after I
generate traffic that I know one of the cases _should_ fire on. Any
thoughts or information on what I'm doing wrong would be appreciated.
Thanks,
-=Mike
suspicious_post.bro (1.62 KB)
httpsetup.bro (262 Bytes)