- No printing! Use the reporter instead.
- Frameworks shouldn't cause any performance overhead merely by the act of loading them.
- If you really have to handle events outside of those generated by the module you're working on (like connection_established or connection_state_remove) triple check your code.
Seth Hall sethhall
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| global watching_icmp: table[conn_id, count] of time &create_expire=3secs; | |
| event icmp_echo_request(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string) | |
| { | |
| watching_icmp[c$id, seq] = network_time(); | |
| } | |
| event icmp_echo_reply(c: connection, icmp: icmp_conn, id: count, seq: count, payload: string) | |
| { | |
| if ( [c$id, seq] !in watching_icmp ) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| global my_table: table[count] of count = { }; | |
| event bro_init() | |
| { | |
| print val_size(my_table); | |
| my_table[1] = 1; | |
| my_table[2] = 2; | |
| my_table[3] = 3; | |
| print val_size(my_table); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/src/analyzer/protocol/icmp/ICMP.cc b/src/analyzer/protocol/icmp/ICM | |
| index 732727d..43e961e 100644 | |
| --- a/src/analyzer/protocol/icmp/ICMP.cc | |
| +++ b/src/analyzer/protocol/icmp/ICMP.cc | |
| @@ -100,8 +100,7 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* dat | |
| else if ( ip->NextProto() == IPPROTO_ICMPV6 ) | |
| NextICMP6(current_timestamp, icmpp, len, caplen, data, ip); | |
| else | |
| - reporter->InternalError("unexpected next protocol in ICMP::Deliv | |
| - |
sethhall
/ bro-exchange-update-watcher.bro
Created
August 7, 2013 19:17
Everyone keeps asking about when the videos will be posted, so here's a script that runs in the preview release (git master).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| redef exit_only_after_terminate = T; | |
| module BroExchangeWatch; | |
| export { | |
| redef enum Notice::Type += { | |
| Woo, | |
| }; | |
| } |
sethhall
/ gist:5952451
Last active
December 19, 2015 12:09
grabbing content-disposition headers only in certain cases.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @load base/protocols/http | |
| const watchlist_url_patterns = /^.*/test.php\// &redef; | |
| redef record Conn::Info += { | |
| content_disposition: string &optional &log; | |
| }; | |
| event http_all_headers(c: connection, is_orig: bool, hlist: mime_header_list) | |
| { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| paste the following into: http://certlogik.com/decoder/ | |
| MIIXqwYJKoZIhvcNAQcCoIIXnDCCF5gCAQExCzAJBgUrDgMCGgUAMEwGCisGAQQBgjcCAQSgPjA8MBcGCisGAQQBgjcCAQ8wCQMBAKAEogKAADAhMAkGBSsOAwIaBQAEFKbTZvvCj5cDkxgWVtg79OiqTsRvoIISujCCA+4wggNXoAMCAQICEH6T6/t8xk5Z6kuad9QG/DswDQYJKoZIhvcNAQEFBQAwgYsxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxFDASBgNVBAcTC0R1cmJhbnZpbGxlMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFFRoYXd0ZSBDZXJ0aWZpY2F0aW9uMR8wHQYDVQQDExZUaGF3dGUgVGltZXN0YW1waW5nIENBMB4XDTEyMTIyMTAwMDAwMFoXDTIwMTIzMDIzNTk1OVowXjELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBvcmF0aW9uMTAwLgYDVQQDEydTeW1hbnRlYyBUaW1lIFN0YW1waW5nIFNlcnZpY2VzIENBIC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxrLNJVEuXHBIK2CV5kSJXKm/cuCbEQ3Nrwr8uUFr7FMJ2jkMBJUO0oeJF9Oi3e8N0zCLXtJQAAvdN7b+0t0Qka81fRTvRRM5DEnMXgotptCvLmR6schsmTXEfsTHd+1FhAlOmqvVJLAV4RaUvic7nmef+jOJXPz3GktxK+Hsz5HkK+/B1iEGc/8UDUZmq12yfk2mHZSmDhcJgFMTIyTsU2sCB8B8NdN6SIqvK9/t0fCfm90obf6fDni2uiuqm5qonFn1h95hxEbziUKFL5V365Q6nLJ+qZSDT2JboyHylTkhE/xniRAeSC9dohIBdanhkRc1gRn5UwRN8xXnxycF |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # the number of workers we expect | |
| WORKER_COUNT=7 | |
| # the number of proxies we expect | |
| PROXY_COUNT=0 | |
| # the cpu mask for our default set | |
| DFLT_SET="0,1,9,10,11" | |
| # get short hostname | |
| HOSTNAME=$(hostname -s) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/scripts/base/protocols/ssh/main.bro b/scripts/base/protocols/ssh/main.bro | |
| index cd20f4e..a8b784f 100644 | |
| --- a/scripts/base/protocols/ssh/main.bro | |
| +++ b/scripts/base/protocols/ssh/main.bro | |
| @@ -108,6 +108,8 @@ function check_ssh_connection(c: connection, done: bool) | |
| if ( c$ssh$done ) | |
| return; | |
| + lookup_connection(c$id); | |
| + |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| cwho () { ADDR=$1; host $ADDR; geoiplookup $ADDR | tail -n1; whois -h whois.cymru.com -- "-p -c -n -r -u -e -w ${ADDR}" | grep -v "^AS"; } |