[Bro] HTTP Post data
Martin Holste
mcholste at gmail.com
Fri Mar 9 07:57:37 PST 2012
This is important enough that the Bro team might want to work on
something that's on by default. Specifically, many attackers hide
SQLi in POST params, so auto-extracting and logging some default,
finite limit of POST params into the HTTP log would be a big win for
the community.
On Fri, Mar 9, 2012 at 8:35 AM, Will Havlovick
<will.havlovick at zenimax.com> wrote:
> Very cool!
>
> I will check this out. We have had some interesting data in forms that are being submitted.
>
> Thank you,
>
> Will
>
> -----Original Message-----
> From: matthias at vallentin.net [mailto:matthias at vallentin.net] On Behalf Of Matthias Vallentin
> Sent: Thursday, March 08, 2012 12:30 PM
> To: Will Havlovick
> Cc: bro at bro-ids.org
> Subject: Re: [Bro] HTTP Post data
>
>> Is there a way to write the data(body) of a HTTP Post request to the
>> http.log? Or another log file?
>
> Yes, that's possible. You would have to reassemble the data from the body across the http_entity_* events. Here is an example of how one could do it:
>
> https://github.com/mavam/brospects/blob/master/bro/bodies.bro
>
> Matthias
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list