[Bro] HTTP Post data
Seth Hall
seth at icir.org
Fri Mar 9 09:11:26 PST 2012
On Mar 9, 2012, at 10:57 AM, Martin Holste wrote:
> This is important enough that the Bro team might want to work on
> something that's on by default. Specifically, many attackers hide
> SQLi in POST params, so auto-extracting and logging some default,
> finite limit of POST params into the HTTP log would be a big win for
> the community.
Yep, I've done that before and (again!) it's another source of perspective change on network traffic.
Regarding the SQLi detection, I've been planning on extending the SQLi detection script to cover POST data for a long time. Adding post data to the logs is at least easy. I attached a script which will just blindly add a configurable amount of data to your http.log.
I'm not so sure it would ever be turned on by default, but we can certainly consider including a script that does this. It's a load statement away from being enabled that way. ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: http-extract-post.bro
Type: application/octet-stream
Size: 574 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120309/a012cc40/attachment.obj
-------------- next part --------------
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list