[Bro] http_request event

anthony kasza anthony.kasza at gmail.com
Tue May 6 07:43:37 PDT 2014 

Info records can have fields which are optional or get set at a later stage
in processing than where user defined code is handled. It's good practice
to check if a field is present before using its value. An example of a
check follows:

if (c$http?$host)
{
  print "host field is there";
}

-AK
On May 6, 2014 7:14 AM, "Shane Castle" <shane.castle at gmail.com> wrote:

> Hmm, yknow it's been a while since I messed around in Bro code, but I
> *think* the reason might be 'cos the host field is not filled in at that
> point in the processing. It looks like it's not til the header is being
> processed that it gets a value, in the "event http_header" part of
> http/main.bro. The IP addresses might have values, though.
>
> Just out of curiosity, can you talk about what you are trying to
> accomplish here? Are you modifying the main.bro script, or are you
> adding to local.bro, or what?
>
> --
> Shane Castle
>
> On 06.05.2014 14:56, Knick, Scott E CTR USARMY RCERT-EUR (US) wrote:
> > Hello all,
> >
> > This is my first message to the mailing list. I was hoping someone could
> help me understand something regarding the HTTP module's http_request
> event. Specifically, I was hoping I could get access to the additional
> information added to the connection parameter by the HTTP module, but when
> the event is fired, my handler is unable to reference the information as it
> doesn't appear that it's there. The information I'm referring to is the
> following (from the bro/share/bro/base/protocols/httpd/main.bro file):
> >
> > # Add the http state tracking fields to the connection record.
> > redef record connection += {
> >       http:        Info  &optional;
> >       http_state:  State &optional;
> > };
> >
> > When I try to get to the http field's host field, I get a "field value
> missing [WebRequests::c$http$host]" error.
> >
> > Any thoughts?
> >
> > --
> > Scott Knick
> >
> >
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140506/ecd8c862/attachment.html

More information about the Bro mailing list