[Bro] http multi-part

Jim Mellander jmellander at lbl.gov
Fri Aug 25 11:21:42 PDT 2017


The attached policy should help you. It assembles multipart HTTP POSTs, and
performs regular expression matching on the POST contents.


On Thu, Aug 24, 2017 at 6:55 PM, Dk Jack <dnj0496 at gmail.com> wrote:

> Hi,
> I am trying to perform some analysis on the HTTP body. For regular
> messages I am accumulating the http body using http_entity_data
> and http_end_entity events. However, this doesn't seem to work for
> multi-part post message. How do I accumulate multi-part post messages. Any
> help is appreciated. Thanks.
> Dk.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170825/7e25580e/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: http-sensitive_POSTs.bro
Type: application/octet-stream
Size: 2839 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170825/7e25580e/attachment-0001.obj 

More information about the Bro mailing list