[Bro] HTTP Post data

Martin Holste mcholste at gmail.com
Fri Mar 9 07:57:37 PST 2012

This is important enough that the Bro team might want to work on
something that's on by default.  Specifically, many attackers hide
SQLi in POST params, so auto-extracting and logging some default,
finite limit of POST params into the HTTP log would be a big win for
the community.

On Fri, Mar 9, 2012 at 8:35 AM, Will Havlovick
<will.havlovick at zenimax.com> wrote:
> Very cool!
> I will check this out.  We have had some interesting data in forms that are being submitted.
> Thank you,
> Will
> -----Original Message-----
> From: matthias at vallentin.net [mailto:matthias at vallentin.net] On Behalf Of Matthias Vallentin
> Sent: Thursday, March 08, 2012 12:30 PM
> To: Will Havlovick
> Cc: bro at bro-ids.org
> Subject: Re: [Bro] HTTP Post data
>> Is there a way to write the data(body) of a HTTP Post request to the
>> http.log? Or another log file?
> Yes, that's possible. You would have to reassemble the data from the body across the http_entity_* events. Here is an example of how one could do it:
> https://github.com/mavam/brospects/blob/master/bro/bodies.bro
>    Matthias
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list