[Bro] Bro 2.1 http cookies extraction

Patrick Powell ppowell at 21ct.com
Sun Aug 25 10:56:43 PDT 2013 

Hello all.  I am trying to extract cookie key/value pairs with bro.  Bro 2.1
out of the box comes with
/usr/local/bro/share/bro/policy/protocols/http/var-extraction-cookies.bro
that extracts only the keys.  Below is the baked in way of keys and I'm
looking for something similar for the values.  I would rather use something
that is already there if it exists but cannot find it.

If it does not exist, what would be the recommendation for creating it?   My
understanding is that modifying anything outside of
/usr/local/bro/share/bro/site can get overwritten with updates.  Should I
create a whole new protocols/http directory structure under
/usr/local/bro/share/bro/site and keep the configuration of cookies
separate?

###################################################################
/usr/local/bro/share/bro/policy/protocols/http/var-extraction-cookies.bro

##! Extracts and logs variables names from cookies sent by clients.

@load base/protocols/http/main
@load base/protocols/http/utils

module HTTP;

redef record Info += {
        ## Variable names extracted from all cookies.
        cookie_vars: vector of string &optional &log;
};

event http_header(c: connection, is_orig: bool, name: string, value: string)
&priority=2
        {
        if ( is_orig && name == "COOKIE" )
                c$http$cookie_vars = extract_keys(value, /;[[:blank:]]*/);
        }
###################################################################
function extract_keys from
/usr/local/bro/share/bro/base/protocols/http/utils.bro
###################################################################
function extract_keys(data: string, kv_splitter: pattern): string_vec
        {
        local key_vec: vector of string = vector();

        local parts = split(data, kv_splitter);
        for ( part_index in parts )
                {
                local key_val = split1(parts[part_index], /=/);
                if ( 1 in key_val )
                        key_vec[|key_vec|] = key_val[1];
                }
        return key_vec;
        }

Thanks,
Patrick Powell



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130825/d103c327/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3799 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130825/d103c327/attachment.bin

More information about the Bro mailing list