Bro HTTP Content Security Policy parser package
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
scripts
LICENSE
README.md
__load__.bro
bro-pkg.meta

README.md

HTTP CSP Parser

Package functionality and architecture

This package will:

  • Parse HTTP Content-Security-Policy reports. After parsing is done it will fire an HTTP_CSP::Report event that can be used later to extend basic functionality,
  • Log every (or only some) report to csp_report.log file,
  • Use Bro Intelligence Framework to cross check domains in blocked-uri field against your threat intel.

Package contains 3 modules:

  • main.bro - required,
  • logger.bro - optional,
  • intel.bro - optional.

You can skip loading optional files in case you don't want to log reports or use intel framework.

tunables

You can also redefine following constants to customize package behaviour.

  • HTTP_CSP::all_sites - parse every report seen (look for csp-report keyword in every HTTP POST request),
  • HTTP_CSP::monitored_sites - parse only reports sent to specified hosts.