[Bro-Dev] Support for HTTP body extraction of originator

Matthias Vallentin vallentin at icir.org
Sat Apr 20 09:16:28 PDT 2013

The current HTTP body extraction mechanism only allows for recording responses:

event http_entity_data(c: connection, is_orig: bool,...
  # Client body extraction is not currently supported in this script.
  if ( is_orig )

Does anyone recall the reason for this? Later in the script, we have:

local suffix = fmt("%s_%d.dat", is_orig ? "orig" : "resp", \

So simply removing the is_orig check readily enables extraction of
HTTP request bodies, and also correctly tags the extraction file with
"orig" or "resp".

The current workaround at this point is to copy the entire event
handler for http_entity_data and simply invert the above check, which
is redundant and inefficient.

Here's my suggestion: we'd introduce an enum that specifies the
direction, e.g., ORIG, RESP, BOTH. Users can then decide what they'd
like to have recorded.


More information about the bro-dev mailing list