badweb_schema = library_schema:new( 1, ["time", "int", 
                                        "ip", "ip", "str"], scope());

# list of web servers to watch.  List IP address of servers or a netmask 
# that matches all. use 0.0.0.0:0.0.0.0 to match any server

da_web_servers = [ 0.0.0.0:0.0.0.0 ] ;

query_list = [ "/cgi-bin/test-cgi.tcl?", 
               "/cgi-bin/nph-test-cgi?",
               "/cgi-bin/test-cgi?", 
               "/cgi-bin/perl.exe?", 
               "/cgi-bin/phf?", 
               "/scripts/snork.bat?", 
               "/cgi-bin/bash?", 
               "/cgi-bin/tcsh?", 
               "/cgi-bin/rksh?",
               "/cgi-bin/perl?", 
               "/cgi-bin/finger?", 
               "/cgi-bin/faxsurvey",
               "/robots.txt", 
               "AnyForm2", 
               "AnyForm", 
               "Anyform2", 
               "anyForm2", 
               "anyform2", 
               "anyform", 
               "Anyform", 
               "anyForm",
               "formmail.pl", 
               "formmail", 
               "guestbook.pl", 
               "guestbook",
               "/cgi-shl/win-c-sample.exe?", 
               "/cgi-bin/php.cgi?",
               "/cgi-bin/wrap?", 
               "/cgi-bin/handler/", 
               "/cgi-bin/aglimpse",
               "/cgi-win/uploader.exe", 
               "/mlog.phtml?", 
               "/mylog.phtml?",
               "/cgi-bin/Count.cgi?", 
               "/scripts/tools/newdsn.exe?",
               "/cgi-bin/MachineInfo" 
	       "::$",			# -pn
               "webdist.cgi"  		# per Phil Wood cpw@lanl.gov
		] ;

filter bweb tcp ( client, dport: 80 )
{
	if (! ( tcp.connDst inside da_web_servers) )
		return;
	declare $blob inside tcp.connSym;
        if ($blob == null)
                $blob = tcp.blob;
        else
                $blob = cat ( $blob, tcp.blob );
#        echo("inside bweb tcp filter\n");
	while (1 == 1) {
          $x = index( $blob, "\n" );
	  if ($x < 0)		# break loop if no complete line yet
            break;
	  $t=substr($blob,$x-1,1);	# look for cr at end of line
          if ($t == '\r')
            $t=substr($blob,0,$x-1);	# tear off line
          else
            $t=substr($blob,0,$x);

          $counter=0;
          foreach $y inside (query_list) {
#            echo("looking for: ", $y );
#            echo("\n");
            $z = index( $blob, $y );
            if ( $z >= 0) {
              $counter=1;
              # save the time, the connection hash, the client,
              # the server, and the command to a histogram
              record system.time, tcp.connHash, tcp.connSrc, tcp.connDst, $t to badweb_hist;

            }
          }
          if ($counter)
            break;
        }
	# keep us from getting flooded if there is no newline in the data
	if (strlen($blob) > 4096)
		$blob = "";

	# save the blob for next pass
        $blob = substr($blob, $x + 1);

}

badweb_hist = recorder ("bin/histogram packages/test/badweb.cfg",
	"badweb_schema" );