[Bro] HTTP traffic logging

anthony kasza anthony.kasza at gmail.com
Fri Apr 3 08:14:00 PDT 2015 

You might want to consider adding additional logic to that script to
selectively log POST bodies. Depending on your environment POST can get big.

-AK
On Apr 3, 2015 4:36 AM, "Hosom, Stephen M" <hosom at battelle.org> wrote:

>  Gediminas,
>
>
>
> The folks at Broala have written a script that logs POST data. I think
> this does most of what you’re looking for:
>
>
>
> https://github.com/broala/bro-snippets/blob/master/http-add-post-bodies.bro
>
>
>
>
>
> *From:* bro-bounces at bro.org [mailto:bro-bounces at bro.org] *On Behalf Of *Gediminas
> Margis
> *Sent:* Friday, April 03, 2015 4:19 AM
> *To:* bro at bro.org
> *Subject:* [Bro] HTTP traffic logging
>
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hello,
>
> I am interested in logging full* HTTP traffic content into log files/SIEM
> solution for inspection on later date.
>
> Scenario would be to parse plaintext/decrypted HTTP traffic with Bro and
> store source/dest, uri, POST/GET data values. This is for historical search
> for malicious content on later date in the SIEM solution.
>
> Critical parts are src, dst, URI, POST/GET data that is submitted.
>
> I am currently going through Bro documentation but cant find any info on
> how can I do this. I am looking at
> https://www.bro.org/sphinx/scripts/base/bif/plugins/Bro_HTTP.events.bif.bro.html
>
> As I understand the content of POST data is stored in HTTP request so I
> would need to use http_request or http_entity_data.
> Also I am pretty new to Bro so I'm not even sure how to start with this.My
> end goal would be to have a log that looks something like this:
>
> timestamp, method, src_ip, src_port, dst_ip, dst_port, uri, data(GET/POST,
> key value pairs like name=mike&occupation=driver).
>
> - --
> Best Regards,
>
> Gediminas Margis,
>
> PGP Key-ID: 0xE6D92FE2FA3AD133
> <http://keyserver1.pgp.com/vkd/DownloadKey.event?keyid=0xE6D92FE2FA3AD133>
> <http://keyserver1.pgp.com/vkd/DownloadKey.event?keyid=0xE6D92FE2FA3AD133>
> 77BD 9F67 F1CF 72B0 7273 E086 E6D9 2FE2 FA3A D133
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCgAGBQJVHkzqAAoJEObZL+L6OtEzBooP/jwqf91ZTPMkdIHneR9+ZzXr
> fes1p12cnDtTYMMXz2fJ+lw/Ne1JJ7HaAyK0xvRykzXUi7JmFmTA5YXEkRL8sAwA
> Wf4y5/E3ER/QTkuCUaOEKEnustqkcnDdp3HPRuXCgbGUQGRch53FeFDHpYDvsEPh
> 84pVT8/hGJzuR92iUJePf1rdCL0FVp0Pak2yN73UBFepmdV+IvVaGx/dfL66UJ7X
> gYzaqBDnKCoiU4tITc+s93gsQgPZOBsVKq6krb/nIXElkWQRn9CuLf/43G1ik8JB
> SIVs0ZEdTchccfs5iG7wvE1xoyEkX+/+e+gPR+1mEN0jh8OkyJzeaCC6r4Ne44mf
> kxHwyuTUF48pvtPQ9iyCOZqqUd4StZ1NzpIO+99hNkHZxYKEpOVccQp9UTiTQTnR
> d8lvTJ4J9kQHyvnFMNIduHGmrkIDkkah7ayd3d5LbD+9W0V8G4VZmx3tVUAf/3mO
> cIpmQNY0dnA3/XPbPLBYRgb175g3CsL2q04S/NJXVh1RIKIwv/CgsewVEOhfrr5V
> IQJsU22B0cWplyfvjOrfrb1iyQxIMVqnHpNc76JgB/lSqhDD3Nba/D56k+ly6/U2
> roalFw8umZDSMR8nPoN/nX/I8rWM0ReIqTI5who9Nulj3TFmVqdy9JYKFCJiFVbn
> MOSZJ/MqYtRNsn3eq0eN
> =4/gH
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150403/0aab6197/attachment-0001.html

More information about the Bro mailing list