Content conditions - Bro Reference Guide

Next: Dependency conditions, Previous: Header conditions, Up: Conditions

8.2.1.2 Content conditions

Content conditions are defined by regular expressions. We differentiate two kinds of content conditions: first, the expression may be declared with the payload statement, in which case it is matched against the raw payload of a connection (for reassembled TCP streams) or of a each packet. Alternatively, it may be prefixed with an analyzer-specific label, in which case the expression is matched against the data as extracted by the corresponding analyzer.

A payload condition has the form

payload /regular expression/

Currently, the following analyzer-specific content conditions are defined (note that the corresponding analyzer has to be activated by loading its policy script):

http-request /regular expression/: The regular expression is matched against decoded URIs of the HTTP requests.
http-request-header /regular expression/: The regular expression is matched against client-side HTTP headers.
http-reply-header /regular expression/: The regular expression is matched against server-side HTTP headers.
ftp /regular expression/: The regular expression is matched against the command line input of FTP sessions.
finger /regular expression/: The regular expression is matched against the finger requests.

For example, http /(etc/(passwd|shadow)/ matches any URI containing either etc/passwd or etc/shadow.