Commits on Nov 24, 2012
  1. Retire Facebook chat script.

    Since Facebook recently switched to HTTPS only, this script no longer works on
    live traffic. It is still available as separate gist for educational purposes:
    Closes #1.
    committed Nov 24, 2012
Commits on Dec 1, 2011
  1. Add meta.bro for event profiling.

    This script is intended for profiling the event load. It only works in the
    branch topic/matthias/meta-analysis. See the comments in the file for details.
    committed Dec 1, 2011
Commits on Nov 27, 2011
  1. Improve the Duqu detector.

    The previous version of the detector incorrectly handled the http_request event
    and tried to use yet unpopulated fields of c$http in there, such as
    request_body_len or the cookie value. Now we process the http message in the
    event http_message_done to make sure that the message contains all the
    necessary fields.
    Based on the log files from CrySys Lab, it seems that the POST occurs before
    the initial JPEG GET, as reported in the Symantec report. However, this could
    just be a capturing artefact, which is why the detector's state machine still
    uses the JPEG GET request as prerequisite event before the POST. If other
    traces confirm that the GET and POST are decoupled, it makes sense to decouple
    the state machine.
    committed Nov 27, 2011
Commits on Nov 10, 2011
  1. Update README.

    committed Nov 10, 2011
  2. Update README.

    committed Nov 10, 2011
Commits on Nov 9, 2011
  1. Fix whitespace via :retab.

    committed Nov 9, 2011
  2. Add a rough Duqu detector.

    This script is based on Symantec's description of Duqu's network behavior, as
    described in It implements a small state machine
    that tracks Duqu's HTTP request/response behavior. Currently, it does not track
    the SMB C&C behavior. If you have a sample trace of Duqu, please contact me so
    that I can improve it.
    committed Nov 9, 2011
Commits on Nov 4, 2011
  1. Tweak JSON value extraction.

    committed Nov 4, 2011
Commits on Nov 3, 2011
  1. Nitpick on wording.

    committed Nov 3, 2011
  2. Update Facebook webchat analyzer for Bro 2.x.

    This revamped version fo facebook.bro uses the new bodies.bro script to keep
    track of HTTP bodies. The previous version had a tightly couples implementation
    of the two rather disjoint concepts. Now, facebook.bro is much cleaner and
    focuses only on the tasks it needs to get done, which is parsing HTTP bodies.
    With the new Bro 2.x logging framework, the output of this script is now a
    separate stream that logs into facebook.log. Here is some example output:
        #separator \x09
        #path   facebook
        #fields timestamp       chat_from       chat_to chat_msg
        #types  string  string  string  string
        1303218454567   Mondo Cheeze    Udder Kaos      So I need the URL, dude.  What is it?
        1303218465938   Udder Kaos      Mondo Cheeze    the URL?
        1303218474259   Mondo Cheeze    Udder Kaos      Yeah for the secret image
        1303218481721   Udder Kaos      Mondo Cheeze    ok lemme see
    committed Nov 3, 2011
Commits on Jul 12, 2011
Commits on Jun 14, 2011
  1. Initial import.

    committed Jun 12, 2011