Log entire payloads
Vern Paxson
vern at icir.org
Sat Apr 24 12:02:32 PDT 2004
> I'd like to log http payloads for each connection seen on my network.
>
> In fact, I'd like to get something like :
> Src_IP;Dst_IP;Request_Payload;Reply_Payload
>
> but with entire payloads (not only URIs, but also banners...)
You can get all of this via
bro -r http.trace http-reply http-header http-body
The only problem is that http-body has hardwired into it that contents
(not headers) larger than 40 bytes are truncated to 40 bytes. I will
fix that. In the interim, if you need entire contents you can make a
copy of the script with the limitation removed and use that instead.
Vern
More information about the Bro
mailing list