[Bro] http_request event

Tue May 6 07:27:30 PDT 2014

Instead of using the http request event, you'll need to use an event that
has all of the fields you want to use in the script. A quick way to
identify those events is to look at the protocol analyzer page for common
protocol events:
http://www.bro.org/sphinx/scripts/proto-analyzers.html#bro-http

In many cases there are fields initialized in the connection portion of an
event that are not immediately obvious. One way to see what fields are
initialized in the event is to print the data to standard out ("print c;")
when running it in a local instance of Bro. You'll quickly see what is
initialized and what is not.

If you simply want all http data, you could use the http log event-- that's
generated as http logs are being sent to the logging framework.

event HTTP::log_http(rec: HTTP::Info)
{
print rec;
}

- Josh

On Tue, May 6, 2014 at 10:04 AM, Knick, Scott E CTR USARMY RCERT-EUR (US) <
scott.e.knick.ctr at mail.mil> wrote:

> I appreciate the reply. I'm really at this point just trying to get
> comfortable with Bro scripting. While I understand that Bro will already
> log HTTP data for me, the end goal is to be able to log very specific
> things that I want. My first exercise is to approximate the output of the
> "urlsnarf" tool (part of the dsniff tools).
>
> I think you're right about the host part. I guess at the time of the
> http_request event, the DNS resolution has already occurred and thus at
> this "layer" I can just see the IP address of the host receiving the
> request, and the "HOST" part of the HTTP header hasn't been seen yet. Is an
> alternative way to implement this to maintain the hostname from a previous
> event? I'm kind of groping in the dark here...
>
> -----Original Message-----
> From: Shane Castle [mailto:shane.castle at gmail.com]
> Sent: Tuesday, May 06, 2014 3:59 PM
> To: Knick, Scott E CTR USARMY RCERT-EUR (US)
> Cc: bro at bro.org
> Subject: Re: [Bro] http_request event
>
> Hmm, yknow it's been a while since I messed around in Bro code, but I
> *think* the reason might be 'cos the host field is not filled in at that
> point in the processing. It looks like it's not til the header is being
> processed that it gets a value, in the "event http_header" part of
> http/main.bro. The IP addresses might have values, though.
>
> Just out of curiosity, can you talk about what you are trying to
> accomplish here? Are you modifying the main.bro script, or are you adding
> to local.bro, or what?
>
> --
> Shane Castle
>
> On 06.05.2014 14:56, Knick, Scott E CTR USARMY RCERT-EUR (US) wrote:
> > Hello all,
> >
> > This is my first message to the mailing list. I was hoping someone could
> help me understand something regarding the HTTP module's http_request
> event. Specifically, I was hoping I could get access to the additional
> information added to the connection parameter by the HTTP module, but when
> the event is fired, my handler is unable to reference the information as it
> doesn't appear that it's there. The information I'm referring to is the
> following (from the bro/share/bro/base/protocols/httpd/main.bro file):
> >
> > # Add the http state tracking fields to the connection record.
> > redef record connection += {
> >       http:        Info  &optional;
> >       http_state:  State &optional;
> > };
> >
> > When I try to get to the http field's host field, I get a "field value
> missing [WebRequests::c$http$host]" error.
> >
> > Any thoughts?
> >
> > --
> > Scott Knick
> >
> >
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140506/5976b76f/attachment.html 