[Bro-Dev] Combining HTTP scripts?
Seth Hall
seth at icir.org
Wed Feb 9 11:13:56 PST 2011
On Feb 9, 2011, at 1:10 PM, Vern Paxson wrote:
>> Is there a consensus that that's the right way to go?
>
> In general I like that. However, where do you draw the line? Processing
> individual headers and/or capturing transferred entities gets expensive.
> It's certainly reasonable that a default config gets response processing
> along with request processing; but I'm not sure about what other stuff it
> should include, due to load / log space considerations.
That a good point and one that I've certainly debated back and forth with myself quite a bit. Here's what I came down to in my http-ext script...
https://github.com/sethhall/bro_scripts/blob/master/logging.http-ext.bro#L24
Not all of those fields are filled in by default (ex. md5, which is the md5 sum of the response body) but with the combination of record extensions and the logging framework, it should be really easy for users to add their own data to this record while maintaining the separation between shipped scripts and locally written ones.
For cases like writing out the http response body, the normal file writing and printing functions and statements are still there so that the key-value logging framework can be bypassed.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the bro-dev
mailing list