[Bro] Custom log file

Beyaz Şapka siberkartal at gmail.com
Mon Jan 2 11:58:30 PST 2017


Hi all,

I want to generate custom log files.
For example, the columns of one log file should be like the following.
ts,uid,fuid,geo_location,idresp_h,idresp_p,method,status_code,trans_depth,response_body_len,mime_type,host,uri,referrer,source,filename,md5,sha1,extracted,flash_version.

Those fields are found in files.log and http.log.
To get those values I need connection, fa_file and fa_metadata records.
More precisely,
I need connection for resp_h and resp_p through conn_id record (c$id$resp_h
and c$id$resp_p).
I need connection for ts, uid, trans_depth, method, status_code,
response_body_len, host, uri, referrer, _flash_version through HTTP::Info
record.
I need connection for geo location through lookup_location(resp_h).
I need fa_metadata for mime_type, since I extract only particular mime
types and also I build the filename that is going to be extracted.
I need fa_file for fuid, source, filename, md5, sha1, and extracted through
Files::Info record.

connection and fa_file records are accessible in event
file_over_new_connection.
However, at this phase md5, sha1, extracted, and response_body_len values
are not present.

For this reason, I used HTTP::log_http and Files::log_files events.
I can get all values from that events except resp_h and resp_p.
I use file_over_new_connection for that since I also extract geo location
from here.
But in this case, due to the nature for network traffic that is not
synchronic, resp_h and geo location values in my custom log file is
erroneous.
How do you do that?

I read related parts of the documentation and source codes of the bro and
alse reviewed the Bro archive for last one year.
I keep the post short in order not to be wordy for now.
I can send my script also.

Any help is quite appriciated,
Thanks,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170102/4d796e13/attachment.html 


More information about the Bro mailing list