[Bro-Dev] #988: Bug in HTTP body extraction

Bro Tracker bro at tracker.bro.org
Mon Apr 29 12:21:51 PDT 2013

#988: Bug in HTTP body extraction
  Reporter:  matthias  |      Owner:  seth
      Type:  Problem   |     Status:  new
  Priority:  Medium    |  Milestone:  Bro2.2
 Component:  Bro       |    Version:  2.1
Resolution:            |   Keywords:

Comment (by matthias):

 It seems that the FAF resolves this problem, I can now see the HTTP bodies
 for both POST requests and the text/plain MIME type.

 However, I do had trouble finding the corresponding files. For example,
 for a given HTTP session the `extraction_file` column shows `http-item-
 ku9xiCY0bg9-37.dat`, which includes the HTTP response body. The
 corresponding request body sits in `http-item-oh0kb6JHiM5-36.dat` but is
 not referenced in the `http.log`.

 Some options:

 1. Extend the `extraction_file` column in the `http.log` to also include
 the file name of the request, say separated by comma (or whatever is the
 separator for sets).

 2. Have a separate column for request and response.

 3.  Change the extraction file name to include also the connection UID.

 We need address issue (1) in any case because the current
 `extraction_file` approach does not match the reality where we can have
 multiple files per HTTP request-response pair.

Ticket URL: <http://tracker.bro.org/bro/ticket/988#comment:3>
Bro Tracker <http://tracker.bro.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list