[Bro] http_request event

Knick, Scott E CTR USARMY RCERT-EUR (US) scott.e.knick.ctr at mail.mil
Tue May 6 07:04:07 PDT 2014


I appreciate the reply. I'm really at this point just trying to get comfortable with Bro scripting. While I understand that Bro will already log HTTP data for me, the end goal is to be able to log very specific things that I want. My first exercise is to approximate the output of the "urlsnarf" tool (part of the dsniff tools).

I think you're right about the host part. I guess at the time of the http_request event, the DNS resolution has already occurred and thus at this "layer" I can just see the IP address of the host receiving the request, and the "HOST" part of the HTTP header hasn't been seen yet. Is an alternative way to implement this to maintain the hostname from a previous event? I'm kind of groping in the dark here...

-----Original Message-----
From: Shane Castle [mailto:shane.castle at gmail.com] 
Sent: Tuesday, May 06, 2014 3:59 PM
To: Knick, Scott E CTR USARMY RCERT-EUR (US)
Cc: bro at bro.org
Subject: Re: [Bro] http_request event

Hmm, yknow it's been a while since I messed around in Bro code, but I
*think* the reason might be 'cos the host field is not filled in at that point in the processing. It looks like it's not til the header is being processed that it gets a value, in the "event http_header" part of http/main.bro. The IP addresses might have values, though.

Just out of curiosity, can you talk about what you are trying to accomplish here? Are you modifying the main.bro script, or are you adding to local.bro, or what?

--
Shane Castle

On 06.05.2014 14:56, Knick, Scott E CTR USARMY RCERT-EUR (US) wrote:
> Hello all,
> 
> This is my first message to the mailing list. I was hoping someone could help me understand something regarding the HTTP module's http_request event. Specifically, I was hoping I could get access to the additional information added to the connection parameter by the HTTP module, but when the event is fired, my handler is unable to reference the information as it doesn't appear that it's there. The information I'm referring to is the following (from the bro/share/bro/base/protocols/httpd/main.bro file):
> 
> # Add the http state tracking fields to the connection record.
> redef record connection += {
> 	http:        Info  &optional;
> 	http_state:  State &optional;
> };
> 
> When I try to get to the http field's host field, I get a "field value missing [WebRequests::c$http$host]" error.
> 
> Any thoughts?
> 
> --
> Scott Knick
> 
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 




More information about the Bro mailing list