[Bro] Log an Arbitrarily Long Collection

Seth Hall seth at icir.org
Wed Sep 11 08:01:07 PDT 2013


On Sep 10, 2013, at 7:04 PM, Christian Buia <christianbuia at gmail.com> wrote:

> So presumably Bro doesn't like the idea of generating a log entry that includes a vector type (no less consisting of record members, I'm not even sure what that would have looked like but was hoping to find out).

We don't allow logging collections of complex types.  You can log vectors, but only vectors of simple atomic types (addr, string, subnet, count, double, etc) which doesn't include records.  You can log records too but they can't be part of a collection type (set, table, vector).  If we had allowed the logging framework to log those types we would have been introducing a lot of headaches for ourselves down the road.

> Accept:*/*|||Accept-Language:en-US|||User-Agent:Mozilla 4.0|||Host:somehost.com||||Connection:Keep-Alive

That would work but it's just as nasty as I'm guessing you feel like it is. :)

> Is this a good solution for including an arbitrarily long collection field in my HTTP logs?  Is there a better way to accomplish this?

There are a number of ways of doing, each with upsides and downsides.  They way I have done it (I have a script floating around somewhere…) is to add fields to HTTP::Info..

client_header_names: vector of string &log &optional;
client_header_values: vector of string &log &optional;
server_header_names: vector of string &log &optional;
server_header_values: vector of string &log &optional;

> Also, I have a feeling that directly editing http/main.bro is a bad practice.

Yes, it's bad practice.

>  Should I instead be adding this script to the policy branch, redefining the HTTP Info object and handling the http header event in there?

Yep.

  .Seth


--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130911/69b0cb0d/attachment.bin 


More information about the Bro mailing list