On Apr 30, 2014, at 12:18 PM, Jim Mellander <[email protected]> wrote:
> For a number of reasons, I elected to write the attached bro policy, which > looks at http POSTs and performs regular expression matching on the posted > data. Thanks for sharing. > Kudos to the first person who finds the minor inconsistency that I elected > not to address. Maybe not what you were referring to, but I had two concerns: (1) “connection_end” doesn’t seem to be a defined event, maybe it's meant to be “connection_state_remove”. (2) Having the global “POST_entities” and “POST_requests” tables without &read_expire (or another expiry attribute) makes me nervous. Though I think the clean up in “http_end_entity” should catch everything, if it doesn’t, that will lead to memory usage issues over time (especially since “connection_end” won’t be a cleanup safety net as intended). - Jon _______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
