Writing a Bro script to make an API call?

jessebowling · February 25, 2013, 3:08am

Similar to how Bro implements the detect-MHR script, I’d like to do a lookup against a REST API for hashes on executables…I can do it easily enough in python but…How can I do it in Bro?

I copied the detect-MHR as a template, but immedietly ran into the questions of “how do I make an http request with Bro?” and “Will that request now end up in my http.logs?” and “Does Bro have native abilities to deal with JSON objects in a reasonable way?” and “What happens if I’m getting two lines in my response: a csv style line and a JSON “object”?”…

Obviously I have a lot to learn, and would appreciate any resourses I could be point to for doing so…

Cheers,

Jesse

Seth_Hall3 · February 25, 2013, 8:57pm

No, not yet. I'm hoping that for 2.2 we can get some form of active HTTP into Bro. I have something implemented in my junk drawer repository already, but it needs a bug fix that hasn't been merged into master yet.

.Seth

jessebowling · February 25, 2013, 9:01pm

Ah, ok…Well, sounds like it’s time for me to try out that external command script you’ve mentioned…

Cheers,

Jesse

Seth_Hall3 · February 25, 2013, 9:43pm

The ActiveHTTP module is actually there already too (it wraps the command line curl client).

It does require the topic/jsiwek/ticket946 branch though and there may be problems with doing lots of HTTP requests or Exec commands at runtime due to some thread clean up issues that still exist.

.Seth

Topic		Replies	Views
http_request event Zeek	4	117	May 6, 2022
Bro programming intro Zeek	19	138	May 6, 2022
BRO & Malware Hash Registry Zeek	6	223	May 6, 2022
Using Bro's file extraction script Zeek	2	89	May 6, 2022
Bro programming question Zeek	2	89	May 6, 2022

Writing a Bro script to make an API call?

Related topics