[Bro] Log an Arbitrarily Long Collection
Siwek, Jonathan Luke
jsiwek at illinois.edu
Thu Sep 12 08:13:17 PDT 2013
> Jon, I took your advice and used header-names.bro as a template. However, it seems to be that header-names.bro in the policy folder has a couple of key logic flaws. The const type boolean types allow both client and server headers to be enumerated. However, if you look at the "http_header" handler, you can see that this function will return immediately for any event that is not "is_orig", in other words it will return for server responses with no work done. Furthermore, if you set the const boolean value for server responses to True (T), the logic in the event handler is such that you will just get the client header names populated in the server header names vector.
I think your read is correct. The tracking of server headers was probably something that got added in as an after-thought and never tested since that script isn't loaded by default anywhere. Thanks for pointing that out.
> I have attached a (lightly tested) modified and expanded version of this script called header-names-and-vals.bro.
Your version looks good, though the initial check for c?$http being set is still a nice thing to leave in.
> Also, happy to hear feedback/best practices on how to escape commas in a vector listing (I just gsubbed them with c).
I think they should automatically get escaped when appearing within a container value and you shouldn't have to worry about it. Did you see differently?
More information about the Bro