[Bro] Fwd: Custom log file

Beyaz Şapka siberkartal at gmail.com
Tue Jan 3 08:26:17 PST 2017

You are right. They are available also from there.
But it is not the solution of the problem.
Using both HTTP::log and Files::log_files makes inconsistency.
Because events for all packets occurring concurrently.
While I got tcp stream x in HTTP::log_http, I could get tcp stream 2 in
So, I left this approach and developed two scripts, but they have problems
also, details are below.

The data fields are extracted from the event file_state_remove(f: fa_file)
in the following script.
There is two problem in here.
1 request is missing in the output of the script, because it returns 302
redirection HTTP status code, I think.
Alos, response_body_len is not available in here, since it will be
available in connection_state_remove (c: connection).

In the second script,
The data fields are extracted from the event connection_state_remove(c:
connection) in the following script.
There are two problems in here.
5 requests are missing in the output of the script, because in one
connection, there is multiple http responses, I think.
Secondly, it is not possible to extract 5 fields, because they are only
accessible via the f$info record.

There is 11 requests in the sample pcap.

On Tue, Jan 3, 2017 at 6:26 PM, Azoff, Justin S <jazoff at illinois.edu> wrote:

> > On Jan 2, 2017, at 2:58 PM, Beyaz Şapka <siberkartal at gmail.com> wrote:
> >
> > For this reason, I used HTTP::log_http and Files::log_files events.
> > I can get all values from that events except resp_h and resp_p.
> >
> Oh?  Those two fields are part of the `id` field in the HTTP::Info record.
> --
> - Justin Azoff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170103/41779fb3/attachment.html 

More information about the Bro mailing list