Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Experimental Bro scripts with good prospects for the official bro-scripts repository.
Bro
Branch: master

This branch is 41 commits ahead, 10 commits behind mavam:master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
.gitignore
COPYING
README.markdown
arp.bro
arpspoof.bro
bodies.bro
facebook.bro

README.markdown

This repository is a mixed bag of Bro scripts that are too specific to be included in the official Bro scripts repository. The scripts are of expirimental nature and might have a few edges, so you are welcome to ping me for feedback and clarifications.

Please see the file COPYING for the licence details.

Documentation

bodies.bro

This script reassembles HTTP bodies and raises an event with the complete contents. Concretely, it reassembles the current request and/or response body via the http_entity_{begin,data,end} events and raises the new event http_body which has the following signature:

http_body: event(c: connection, is_orig: bool, data: string, size: count);

As with all Bro HTTP scripts, is_orig differentiates requests from replies. The field data contains the body and size holds the body length in bytes.

Because the keeping track of all HTTP bodies would likely exceed the amount of available memory, we need to focus of a subset of HTTP message bodies. The script offers the following variables in the namespace HTTP to do so:

## Flag that indicates whether to hook request bodies.
const hook_request_bodies = F &redef;

## Flag that indicates whether to hook reply bodies.
const hook_reply_bodies = T &redef;

## The pattern applies 
const hook_host_pattern = /.*/ &redef;

## Do not buffer more than this amount of bytes per HTTP message.
const max_body_size = 50000000;

Requires Bro 2.x

facebook.bro

This script analyses Facebook webchat sessions and extracts messages between two conversing buddies. My blog contains a bit more details about this script.

arpspoof.bro

This script analyzes ARP traffic for gratuitous replies, spoofed fields in replies, and spoofed fields in requests, as well as conflicts with existing entries in the ARP table and DHCP assignments.

Something went wrong with that request. Please try again.