[Bro] How to modify http.log

Vlad Grigorescu vlad at grigorescu.org
Wed May 27 09:01:29 PDT 2015 

Log::write is already being called in the base scripts. You want to add a
field to the record and let the base scripts worry about actually logging
it out. See policy/protocols/http/var-extraction-cookies.bro (
https://github.com/bro/bro/blob/master/scripts/policy/protocols/http/var-extraction-cookies.bro)
as an example.

You might not be able to do what you want, though, because lookup_hostname
is an asynchronous function. If it doesn't return quickly enough, the log
will be written without the field filled in. Another thing to keep in mind
is that a large number of asynchronous calls can have a significant
performance penalty.

c$http, c$http$uri and c$http$host are optional fields[1], so you should
check for the presence of those fields with the ?$ operator before
accessing them. Finally, the scheme (http://) is not included in the uri
field, so I'm not really sure how your if statement is matching. I would
replace that if condition with: c?$http && c$http?$host. If the host field
is set, you know it's HTTP and that you saw the request.

  --Vlad

[1] - <
https://www.bro.org/sphinx-git/scripts/base/protocols/http/main.bro.html#type-HTTP::Info
>

On Wed, May 27, 2015 at 5:03 AM, Vito Logrillo <vitologrillo at gmail.com>
wrote:

> Hi all,
> i'm trying to modify http.log using the script written below
>
> -----script.bro-----
> redef record HTTP::Info += {
>         host_ip: set[addr] &optional &log;
> };
>
> event connection_state_remove(c: connection) &priority=5
> {
>         local record_flag: bool = F;
>
>         if  (/^[hH][tT][tT][pP]:/ in c$http$uri)
>         {
>
>                 record_flag = T;
>
>                 when (local h = lookup_hostname(c$http$host))
>                 {
>                         record_flag = F;
>                         print(h);
>                         if (|h|>0 && (0.0.0.0 !in h))
>                         {
>                                 c$http$host_ip = h;
>                                 Log::write(HTTP::LOG, c$http);
>                         }
>                 return;
>                 }
>         }
>         if (record_flag == T)
>         {
>                 return;
>         }
> }
>
> -----end script.bro----
>
> I've added a new field in http.log (host_ip) in order to see the host
> ip using the function lookup_hostname.
> The script works well, but the same record is written twice (with and
> without the host_ip field).
> I've tried to use a state flag (record_flag) to avoid this, but the
> result is the same.
> How can avoid record duplicantion?
> Thanks,
> Vito
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150527/4c1d038d/attachment.html

More information about the Bro mailing list