[Bro] HTTP Post data
mcholste at gmail.com
Fri Mar 9 07:57:37 PST 2012
This is important enough that the Bro team might want to work on
something that's on by default. Specifically, many attackers hide
SQLi in POST params, so auto-extracting and logging some default,
finite limit of POST params into the HTTP log would be a big win for
On Fri, Mar 9, 2012 at 8:35 AM, Will Havlovick
<will.havlovick at zenimax.com> wrote:
> Very cool!
> I will check this out. We have had some interesting data in forms that are being submitted.
> Thank you,
> -----Original Message-----
> From: matthias at vallentin.net [mailto:matthias at vallentin.net] On Behalf Of Matthias Vallentin
> Sent: Thursday, March 08, 2012 12:30 PM
> To: Will Havlovick
> Cc: bro at bro-ids.org
> Subject: Re: [Bro] HTTP Post data
>> Is there a way to write the data(body) of a HTTP Post request to the
>> http.log? Or another log file?
> Yes, that's possible. You would have to reassemble the data from the body across the http_entity_* events. Here is an example of how one could do it:
> Bro mailing list
> bro at bro-ids.org
More information about the Bro