Hi,
I’m replaying PCAPs through Zeek and using the HTTP building up maps of URL redirection chains. I wrote a script which uses bodies.bro to resassemble HTTP bodies and then I use regex to scan for possible HTML/JavaScript/iFrame-based redirections. Now that I have test cases for 400+ PCAPs I’ve identified that Zeek will sometimes fail to resassemble the HTTP body correctly, so regex won’t extract the redirection code…
For some PCAPs this happens ~50% of the time, for others ~10% of the time… For the majority of PCAPs, this doesn’t occur at all.
If anybody has any ideas what could be causing the inconsistencies, please let me know! Since the PCAPs remain the same between execution attempts, I can’t understand why the results would vary like this.
Thanks,
Jonah