[Bro] Log an Arbitrarily Long Collection

[Siwek, Jonathan Luke]

>  server_headers:                vector of HeaderValue &log &optional;
>  server_headers_count:        count &default=0;
> 
> I decided to use a vector because I want to keep track of header order.  Further down on the http_header event handler, I add each header to the appropriate vector, indexed by the count field which increments.

A minor point: you don't really have to store the count since it's implicit in the vector if you use `|…|` to get the size of the container.  E.g.

	|c$http$server_headers|

in this case would be equivalent to:

	c$http$server_headers_count

> error in /usr/local/bro/share/bro/base/protocols/http/./main.bro, line 83: &log applied to a type that cannot be logged (&log)
> 
> So presumably Bro doesn't like the idea of generating a log entry that includes a vector type (no less consisting of record members, I'm not even sure what that would have looked like but was hoping to find out).

A vector of an atomic type, say `vector of string`, should work.  So an option would be to store the header names and values in two different vectors.

> The next best thing I can think of doing is recording this information with some custom delimeter in a single string field

That could work also and might be better if you're more concerned w/ human readability.

> Also, I have a feeling that directly editing http/main.bro is a bad practice.  Should I instead be adding this script to the policy branch, redefining the HTTP Info object and handling the http header event in there?

Take a look at "policy/protocols/http/header-names.bro".  Copy that to your own script (possibly storing it in $prefix/share/bro/site) and modify it to do what you want (log header name+value in whatever format).  Then have bro load that script: if you're already loading local.bro, adding an @load in there for the new script is one way.

- Jon