[Bro] http_request event

Shane Castle shane.castle at gmail.com
Tue May 6 07:30:29 PDT 2014 

You'd probably want to get your information at the time the http.log
file entry is fired off, I think, or tie your output to a different event.

Have you seen the git repositories for Bro scripts of various sorts? And
of course there's this section of the Bro doc:
https://www.bro.org/sphinx/scripting/index.html

A couple years ago I was into modifying the Bro installation I was in
charge of (using Security Onion, a great set of tools). I'm not doing
that anymore (a huge family relocation) but I'm trying to stay current,
with an NSM installed in a VM at home.

-- 
Shane Castle

On 06.05.2014 16:04, Knick, Scott E CTR USARMY RCERT-EUR (US) wrote:
> I appreciate the reply. I'm really at this point just trying to get
> comfortable with Bro scripting. While I understand that Bro will
> already log HTTP data for me, the end goal is to be able to log very
> specific things that I want. My first exercise is to approximate the
> output of the "urlsnarf" tool (part of the dsniff tools).
> 
> I think you're right about the host part. I guess at the time of the
> http_request event, the DNS resolution has already occurred and thus
> at this "layer" I can just see the IP address of the host receiving
> the request, and the "HOST" part of the HTTP header hasn't been seen
> yet. Is an alternative way to implement this to maintain the hostname
> from a previous event? I'm kind of groping in the dark here...
> 
> -----Original Message----- From: Shane Castle
> [mailto:shane.castle at gmail.com] Sent: Tuesday, May 06, 2014 3:59 PM 
> To: Knick, Scott E CTR USARMY RCERT-EUR (US) Cc: bro at bro.org Subject:
> Re: [Bro] http_request event
> 
> Hmm, yknow it's been a while since I messed around in Bro code, but
> I *think* the reason might be 'cos the host field is not filled in at
> that point in the processing. It looks like it's not til the header
> is being processed that it gets a value, in the "event http_header"
> part of http/main.bro. The IP addresses might have values, though.
> 
> Just out of curiosity, can you talk about what you are trying to
> accomplish here? Are you modifying the main.bro script, or are you
> adding to local.bro, or what?
> 
> -- Shane Castle
> 
> On 06.05.2014 14:56, Knick, Scott E CTR USARMY RCERT-EUR (US) wrote:
>> Hello all,
>> 
>> This is my first message to the mailing list. I was hoping someone
>> could help me understand something regarding the HTTP module's
>> http_request event. Specifically, I was hoping I could get access
>> to the additional information added to the connection parameter by
>> the HTTP module, but when the event is fired, my handler is unable
>> to reference the information as it doesn't appear that it's there.
>> The information I'm referring to is the following (from the
>> bro/share/bro/base/protocols/httpd/main.bro file):
>> 
>> # Add the http state tracking fields to the connection record. 
>> redef record connection += { http:        Info  &optional; 
>> http_state:  State &optional; };
>> 
>> When I try to get to the http field's host field, I get a "field
>> value missing [WebRequests::c$http$host]" error.
>> 
>> Any thoughts?
>> 
>> -- Scott Knick
>> 
>> 
>> 
>> _______________________________________________ Bro mailing list 
>> bro at bro-ids.org 
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>

More information about the Bro mailing list