[Bro] 2.1 file analysis logging in 2.2

Seth Hall seth at icir.org
Fri Feb 21 12:30:59 PST 2014


On Feb 21, 2014, at 12:06 PM, Mike Hamilton <mhamilton at 21ct.com> wrote:

> Is there a simple way to add back those two old columns to the http.log
> file?  Understanding that the new mime_types fields are vectors instead of
> straight strings, do either of the new mime_type fields correspond to the
> old mime_type column?


You can certainly do that, but I do want to point out that the old log was incorrect.  HTTP uses MIME to transfer data so you can send multiple files and receive multiple files in a single request or response.

mime_type is basically the same as the resp_mime_types field except that it can represent more than one file.  Hashes are not included in the HTTP log at all anymore but you can add it back by basically copying how the resp_mime_types field is populated. 

Finally I should probably point out that the resp_fuids and orig_fuids fields correspond to the second field (fuid) in the files.log. 

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140221/1e933871/attachment.bin 


More information about the Bro mailing list