[Bro] HTTP traffic logging

Hosom, Stephen M hosom at battelle.org
Fri Apr 3 04:32:33 PDT 2015 

Gediminas,

The folks at Broala have written a script that logs POST data. I think this does most of what you’re looking for:

https://github.com/broala/bro-snippets/blob/master/http-add-post-bodies.bro


From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Gediminas Margis
Sent: Friday, April 03, 2015 4:19 AM
To: bro at bro.org
Subject: [Bro] HTTP traffic logging


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello,

I am interested in logging full* HTTP traffic content into log files/SIEM solution for inspection on later date.

Scenario would be to parse plaintext/decrypted HTTP traffic with Bro and store source/dest, uri, POST/GET data values. This is for historical search for malicious content on later date in the SIEM solution.

Critical parts are src, dst, URI, POST/GET data that is submitted.

I am currently going through Bro documentation but cant find any info on how can I do this. I am looking at https://www.bro.org/sphinx/scripts/base/bif/plugins/Bro_HTTP.events.bif.bro.html

As I understand the content of POST data is stored in HTTP request so I would need to use http_request or http_entity_data.
Also I am pretty new to Bro so I'm not even sure how to start with this.My end goal would be to have a log that looks something like this:

timestamp, method, src_ip, src_port, dst_ip, dst_port, uri, data(GET/POST, key value pairs like name=mike&occupation=driver).

- --
Best Regards,

Gediminas Margis,

PGP Key-ID: 0xE6D92FE2FA3AD133 <http://keyserver1.pgp.com/vkd/DownloadKey.event?keyid=0xE6D92FE2FA3AD133><http://keyserver1.pgp.com/vkd/DownloadKey.event?keyid=0xE6D92FE2FA3AD133>
77BD 9F67 F1CF 72B0 7273 E086 E6D9 2FE2 FA3A D133
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJVHkzqAAoJEObZL+L6OtEzBooP/jwqf91ZTPMkdIHneR9+ZzXr
fes1p12cnDtTYMMXz2fJ+lw/Ne1JJ7HaAyK0xvRykzXUi7JmFmTA5YXEkRL8sAwA
Wf4y5/E3ER/QTkuCUaOEKEnustqkcnDdp3HPRuXCgbGUQGRch53FeFDHpYDvsEPh
84pVT8/hGJzuR92iUJePf1rdCL0FVp0Pak2yN73UBFepmdV+IvVaGx/dfL66UJ7X
gYzaqBDnKCoiU4tITc+s93gsQgPZOBsVKq6krb/nIXElkWQRn9CuLf/43G1ik8JB
SIVs0ZEdTchccfs5iG7wvE1xoyEkX+/+e+gPR+1mEN0jh8OkyJzeaCC6r4Ne44mf
kxHwyuTUF48pvtPQ9iyCOZqqUd4StZ1NzpIO+99hNkHZxYKEpOVccQp9UTiTQTnR
d8lvTJ4J9kQHyvnFMNIduHGmrkIDkkah7ayd3d5LbD+9W0V8G4VZmx3tVUAf/3mO
cIpmQNY0dnA3/XPbPLBYRgb175g3CsL2q04S/NJXVh1RIKIwv/CgsewVEOhfrr5V
IQJsU22B0cWplyfvjOrfrb1iyQxIMVqnHpNc76JgB/lSqhDD3Nba/D56k+ly6/U2
roalFw8umZDSMR8nPoN/nX/I8rWM0ReIqTI5who9Nulj3TFmVqdy9JYKFCJiFVbn
MOSZJ/MqYtRNsn3eq0eN
=4/gH
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150403/a0967b41/attachment.html

More information about the Bro mailing list