Seth Hall sethhall

## conn.log
#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	conn
#open	2014-04-10-13-34-01
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	count	string	count	count	count	count	set[string]
1397073996.257496	CHkC542U0S9hPPSQ0g	192.168.11.1	54848	192.168.11.128	443	tcp	ssl	0.022342	233	17871	SF	-	0	ShADadFf	13	765	17	18563	(empty)
#close	2014-04-10-13-34-01

## myextract-with-domain.bro
redef record fa_file += {
	is_my_extractor_going: bool &default=F;
};

event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
	{
	if ( !f$is_my_extractor_going )
		{
		f$is_my_extractor_going=T;
		if ( f$source == "HTTP" && is_orig == F )

## myextract.bro
redef record fa_file += {
	is_my_extractor_going: bool &default=F;
};

event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
	{
	if ( !f$is_my_extractor_going )
		{
		f$is_my_extractor_going=T;
		if ( f$source == "HTTP" && is_orig == F )

## test-track-memory.bro
global my_table: table[count] of count = { };

event bro_init()
	{
	print val_size(my_table);

	my_table[1] = 1;
	my_table[2] = 2;
	my_table[3] = 3;
	print val_size(my_table);

## gist:6283197
diff --git a/src/analyzer/protocol/icmp/ICMP.cc b/src/analyzer/protocol/icmp/ICM
index 732727d..43e961e 100644
--- a/src/analyzer/protocol/icmp/ICMP.cc
+++ b/src/analyzer/protocol/icmp/ICMP.cc
@@ -100,8 +100,7 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* dat
        else if ( ip->NextProto() == IPPROTO_ICMPV6 )
                NextICMP6(current_timestamp, icmpp, len, caplen, data, ip);
        else
-               reporter->InternalError("unexpected next protocol in ICMP::Deliv
-

## bro-exchange-update-watcher.bro

redef exit_only_after_terminate = T;

module BroExchangeWatch;

export {
	redef enum Notice::Type += {
		Woo,
	};
}

## http-header-logs.bro
##! Extract and include the header names used for each request in the HTTP
##! logging stream.  The headers in the logging stream will be stored in the
##! same order which they were seen on the wire.

@load base/protocols/http/main

module HTTP;

export {
	redef record Info += {

## http-title-ripper.bro
@load base/protocols/http

module HTTPTitleRipper;

export {
	## The depth to search for titles in HTTP response bodies.
	const search_depth = 10000;

	redef record HTTP::Info += {
		## A title from the webpage.

## rules-for-base.rst

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                sethhall
                / rules-for-base.rst
            
            
              Created
              July 22, 2013 18:17
            
              
                Rules for base/
              
          
    Rules for base


No printing! Use the reporter instead.
Frameworks shouldn't cause any performance overhead merely by the act of loading them.
If you really have to handle events outside of those generated by the module you're working on (like connection_established or connection_state_remove) triple check your code.


## gist:5952451
@load base/protocols/http

const watchlist_url_patterns = /^.*/test.php\// &redef;

redef record Conn::Info += {
        content_disposition: string &optional &log;
};

event http_all_headers(c: connection, is_orig: bool, hlist: mime_header_list)
        {
	#separator \x09
	#set_separator ,
	#empty_field (empty)
	#unset_field -
	#path conn
	#open 2014-04-10-13-34-01
	#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
	#types time string addr port addr port enum string interval count count string bool count string count count count count set[string]
	1397073996.257496 CHkC542U0S9hPPSQ0g 192.168.11.1 54848 192.168.11.128 443 tcp ssl 0.022342 233 17871 SF - 0 ShADadFf 13 765 17 18563 (empty)
	#close 2014-04-10-13-34-01
	redef record fa_file += {
	is_my_extractor_going: bool &default=F;
	};

	event file_over_new_connection(f: fa_file, c: connection, is_orig: bool)
	{
	if ( !f$is_my_extractor_going )
	{
	f$is_my_extractor_going=T;
	if ( f$source == "HTTP" && is_orig == F )
	global my_table: table[count] of count = { };

	event bro_init()
	{
	print val_size(my_table);

	my_table[1] = 1;
	my_table[2] = 2;
	my_table[3] = 3;
	print val_size(my_table);
	diff --git a/src/analyzer/protocol/icmp/ICMP.cc b/src/analyzer/protocol/icmp/ICM
	index 732727d..43e961e 100644
	--- a/src/analyzer/protocol/icmp/ICMP.cc
	+++ b/src/analyzer/protocol/icmp/ICMP.cc
	@@ -100,8 +100,7 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* dat
	else if ( ip->NextProto() == IPPROTO_ICMPV6 )
	NextICMP6(current_timestamp, icmpp, len, caplen, data, ip);
	else
	- reporter->InternalError("unexpected next protocol in ICMP::Deliv
	-

	redef exit_only_after_terminate = T;

	module BroExchangeWatch;

	export {
	redef enum Notice::Type += {
	Woo,
	};
	}
	@load base/protocols/http

	module HTTPTitleRipper;

	export {
	## The depth to search for titles in HTTP response bodies.
	const search_depth = 10000;

	redef record HTTP::Info += {
	## A title from the webpage.
	@load base/protocols/http

	const watchlist_url_patterns = /^.*/test.php\// &redef;

	redef record Conn::Info += {
	content_disposition: string &optional &log;
	};

	event http_all_headers(c: connection, is_orig: bool, hlist: mime_header_list)
	{