[Bro] Log::add_filter with mime_type or filename predicate

Thomas, Eric D edthoma at sandia.gov
Mon Sep 30 12:08:18 PDT 2013


I'm looking for the new way (in 2.2) for filtering HTTP::LOG logging based
upon mime_type or filename. It seems with the new file analysis framework
the filename and mime_type of an HTTP connection are set in HTTP::Info in
base/protocols/http/entities.bro inside the file_over_new_connection
event. However I'm thinking at this point that that event is triggered
only AFTER the HTTP::LOG filter predicates are processed, since all of the
new entities fields in the HTTP::Info record are "<uninitialized>" when
printed from the predicate function. Here is a possibly helpful code
snippet that goes inside bro_init() (Excuse the formatting, not much I can
do.)

Log::add_filter(HTTP::LOG, [$name = "http-executables",
	$path = "http_exe",
	$pred(rec: HTTP::Info) =
	{
		print "file:", rec;
		return 1==1;
	},
# This line was in the predicate function, but it no longer works
# return rec?$mime_type && rec$mime_type == "application/x-dosexec"; },

	$include=set("ts","id.orig_h","id.orig_p","id.resp_h","id.resp_p","method"
,"host","uri","referrer","user_agent","request_body_len","response_body_len
","status_code","info_msg","contenttype","filename","mime_type")
	]);



Thoughts?


-- 
Eric Thomas

edthoma at sandia.gov





More information about the Bro mailing list