[Bro] Log::add_filter with mime_type or filename predicate

Thomas, Eric D edthoma at sandia.gov
Mon Sep 30 12:08:18 PDT 2013

I'm looking for the new way (in 2.2) for filtering HTTP::LOG logging based
upon mime_type or filename. It seems with the new file analysis framework
the filename and mime_type of an HTTP connection are set in HTTP::Info in
base/protocols/http/entities.bro inside the file_over_new_connection
event. However I'm thinking at this point that that event is triggered
only AFTER the HTTP::LOG filter predicates are processed, since all of the
new entities fields in the HTTP::Info record are "<uninitialized>" when
printed from the predicate function. Here is a possibly helpful code
snippet that goes inside bro_init() (Excuse the formatting, not much I can

Log::add_filter(HTTP::LOG, [$name = "http-executables",
	$path = "http_exe",
	$pred(rec: HTTP::Info) =
		print "file:", rec;
		return 1==1;
# This line was in the predicate function, but it no longer works
# return rec?$mime_type && rec$mime_type == "application/x-dosexec"; },



Eric Thomas

edthoma at sandia.gov

More information about the Bro mailing list