[Bro] Log an Arbitrarily Long Collection

Christian Buia christianbuia at gmail.com
Thu Sep 12 17:36:05 PDT 2013

Thanks for your response Jon.  You're right, commas are already escaped as
"\x2c", so gsub is not needed.  Thank you for the heads up!


On Thu, Sep 12, 2013 at 11:13 AM, Siwek, Jonathan Luke
<jsiwek at illinois.edu>wrote:

> > Jon, I took your advice and used header-names.bro as a template.
>  However, it seems to be that header-names.bro in the policy folder has a
> couple of key logic flaws.  The const type boolean types allow  both client
> and server headers to be enumerated.  However, if you look at the
> "http_header" handler, you can see that this function will return
> immediately for any event that is not "is_orig", in other words it will
> return for server responses with no work done.  Furthermore, if you set the
> const boolean value for server responses to True (T), the logic in the
> event handler is such that you will just get the client header names
> populated in the server header names vector.
> I think your read is correct.  The tracking of server headers was probably
> something that got added in as an after-thought and never tested since that
> script isn't loaded by default anywhere.  Thanks for pointing that out.
> > I have attached a (lightly tested) modified and expanded version of this
> script called header-names-and-vals.bro.
> Your version looks good, though the initial check for c?$http being set is
> still a nice thing to leave in.
> > Also, happy to hear feedback/best practices on how to escape commas in a
> vector listing (I just gsubbed them with &#2c).
> I think they should automatically get escaped when appearing within a
> container value and you shouldn't have to worry about it.  Did you see
> differently?
> - Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130912/5f77d5fa/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: header-names-and-vals.bro
Type: application/octet-stream
Size: 1618 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130912/5f77d5fa/attachment.obj 

More information about the Bro mailing list