[Bro] Customization for HTTP logs

Bernhard Amann bernhard at ICSI.Berkeley.EDU
Thu Nov 21 08:25:34 PST 2013


> 
> In order to be able to log more HTTP headers, I edited the file: 
> /bro/share/bro/base/protocols/http/main.bro (the edited file is attached to this mail).
> 
> In addition to this file change I added log filter into /bro/share/bro/site/local.bro file.
> 
> The log is created and most of fields logged well except the following fields:
> response_content_length
> cookie
> response_content_type
> 
> Can someone tell me what's wrong ?

Are you sure that the server sends the header lines? As far as I remember all
of them are optional. At a first glance, it looks fine besides that - and if the
other things you added are working, these should too.

But - one other thing - you really should not edit script-files in base. If you ever
re-install bro, it will be overwritten without any warning or promoting you. Also - if
you ever update to a new version you will have to re-apply your changes manually.

Instead, you should extend the HTTP::Info record in a separate, new script-file and
also set the values in that new file by catching the http_header event.

Bernhard



More information about the Bro mailing list