- No printing! Use the reporter instead.
- Frameworks shouldn't cause any performance overhead merely by the act of loading them.
- If you really have to handle events outside of those generated by the module you're working on (like connection_established or connection_state_remove) triple check your code.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#separator \x09 | |
#set_separator , | |
#empty_field (empty) | |
#unset_field - | |
#path conn | |
#open 2014-04-10-13-34-01 | |
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents | |
#types time string addr port addr port enum string interval count count string bool count string count count count count set[string] | |
1397073996.257496 CHkC542U0S9hPPSQ0g 192.168.11.1 54848 192.168.11.128 443 tcp ssl 0.022342 233 17871 SF - 0 ShADadFf 13 765 17 18563 (empty) | |
#close 2014-04-10-13-34-01 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
redef record fa_file += { | |
is_my_extractor_going: bool &default=F; | |
}; | |
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) | |
{ | |
if ( !f$is_my_extractor_going ) | |
{ | |
f$is_my_extractor_going=T; | |
if ( f$source == "HTTP" && is_orig == F ) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
redef record fa_file += { | |
is_my_extractor_going: bool &default=F; | |
}; | |
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) | |
{ | |
if ( !f$is_my_extractor_going ) | |
{ | |
f$is_my_extractor_going=T; | |
if ( f$source == "HTTP" && is_orig == F ) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
global my_table: table[count] of count = { }; | |
event bro_init() | |
{ | |
print val_size(my_table); | |
my_table[1] = 1; | |
my_table[2] = 2; | |
my_table[3] = 3; | |
print val_size(my_table); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/src/analyzer/protocol/icmp/ICMP.cc b/src/analyzer/protocol/icmp/ICM | |
index 732727d..43e961e 100644 | |
--- a/src/analyzer/protocol/icmp/ICMP.cc | |
+++ b/src/analyzer/protocol/icmp/ICMP.cc | |
@@ -100,8 +100,7 @@ void ICMP_Analyzer::DeliverPacket(int len, const u_char* dat | |
else if ( ip->NextProto() == IPPROTO_ICMPV6 ) | |
NextICMP6(current_timestamp, icmpp, len, caplen, data, ip); | |
else | |
- reporter->InternalError("unexpected next protocol in ICMP::Deliv | |
- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
redef exit_only_after_terminate = T; | |
module BroExchangeWatch; | |
export { | |
redef enum Notice::Type += { | |
Woo, | |
}; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
##! Extract and include the header names used for each request in the HTTP | |
##! logging stream. The headers in the logging stream will be stored in the | |
##! same order which they were seen on the wire. | |
@load base/protocols/http/main | |
module HTTP; | |
export { | |
redef record Info += { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@load base/protocols/http | |
module HTTPTitleRipper; | |
export { | |
## The depth to search for titles in HTTP response bodies. | |
const search_depth = 10000; | |
redef record HTTP::Info += { | |
## A title from the webpage. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@load base/protocols/http | |
const watchlist_url_patterns = /^.*/test.php\// &redef; | |
redef record Conn::Info += { | |
content_disposition: string &optional &log; | |
}; | |
event http_all_headers(c: connection, is_orig: bool, hlist: mime_header_list) | |
{ |