[Bro] Log an Arbitrarily Long Collection
Siwek, Jonathan Luke
jsiwek at illinois.edu
Wed Sep 11 07:54:56 PDT 2013
> server_headers: vector of HeaderValue &log &optional;
> server_headers_count: count &default=0;
>
> I decided to use a vector because I want to keep track of header order. Further down on the http_header event handler, I add each header to the appropriate vector, indexed by the count field which increments.
A minor point: you don't really have to store the count since it's implicit in the vector if you use `|…|` to get the size of the container. E.g.
|c$http$server_headers|
in this case would be equivalent to:
c$http$server_headers_count
> error in /usr/local/bro/share/bro/base/protocols/http/./main.bro, line 83: &log applied to a type that cannot be logged (&log)
>
> So presumably Bro doesn't like the idea of generating a log entry that includes a vector type (no less consisting of record members, I'm not even sure what that would have looked like but was hoping to find out).
A vector of an atomic type, say `vector of string`, should work. So an option would be to store the header names and values in two different vectors.
> The next best thing I can think of doing is recording this information with some custom delimeter in a single string field
That could work also and might be better if you're more concerned w/ human readability.
> Also, I have a feeling that directly editing http/main.bro is a bad practice. Should I instead be adding this script to the policy branch, redefining the HTTP Info object and handling the http header event in there?
Take a look at "policy/protocols/http/header-names.bro". Copy that to your own script (possibly storing it in $prefix/share/bro/site) and modify it to do what you want (log header name+value in whatever format). Then have bro load that script: if you're already loading local.bro, adding an @load in there for the new script is one way.
- Jon
More information about the Bro
mailing list