[Bro] http multi-part
Dk Jack
dnj0496 at gmail.com
Fri Aug 25 16:52:12 PDT 2017
Hi Jim,
I am doing something very similar to what you are doing in your script.
However, I am unable to capture the body when the content-type is:
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
When I use entity_data and end_entity event functions, what I accumulate
for body when I receive a multi-part body is just a small string:
YWFhYWFh
However, I know my body is much larger. I've copy pasted the wireshark
output of the multi-part content to the end of this email.
I see there are mime_xxx functions. Should I be using them to capture
multi-part content. If they should be used, any help in how they should be
used would be most appreciated. Thanks.
Dk.
[HTTP request 1/1]
File Data: 736 bytes
MIME Multipart Media Encapsulation, Type: multipart/form-data, Boundary:
"---- WebKitFormBoundarygsgnAl2Dz3rduY2p"
[Type: multipart/form-data]
First boundary: ------WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
Encapsulated multipart part:
Content-Disposition: form-data; name="success_url"\r\n\r\n
Boundary: \r\n------WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
Encapsulated multipart part:
Content-Disposition: form-data; name="error_url"\r\n\r\n
Boundary: \r\n------WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
Encapsulated multipart part:
Content-Disposition: form-data; name="firstname"\r\n\r\n
Data (1 byte)
0000 61 a
Data: 61
[Length: 1]
Boundary: \r\n------WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
Encapsulated multipart part:
Content-Disposition: form-data; name="lastname"\r\n\r\n
Data (1 byte)
0000 62 b
Data: 62
[Length: 1]
Boundary: \r\n------WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
Encapsulated multipart part:
Content-Disposition: form-data; name="email"\r\n\r\n
Data (7 bytes)
0000 62 40 63 2e 63 6f 6d b at c.com
Data: 6240632e636f6d
[Length: 7]
Boundary: \r\n------WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
Encapsulated multipart part:
Content-Disposition: form-data; name="password"\r\n\r\n
Data (6 bytes)
0000 61 61 61 61 61 61 aaaaaa
Data: 616161616161
[Length: 6]
Boundary: \r\n------WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
Encapsulated multipart part:
Content-Disposition: form-data; name="confirmation"\r\n\r\n
Data (6 bytes)
0000 61 61 61 61 61 61 aaaaaa
Data: 616161616161
[Length: 6]
Last boundary: \r\n------WebKitFormBoundarygsgnAl2Dz3rduY2p--\r\n
On Fri, Aug 25, 2017 at 11:21 AM, Jim Mellander <jmellander at lbl.gov> wrote:
> Hi:
>
> The attached policy should help you. It assembles multipart HTTP POSTs,
> and performs regular expression matching on the POST contents.
>
> Jim
>
>
> On Thu, Aug 24, 2017 at 6:55 PM, Dk Jack <dnj0496 at gmail.com> wrote:
>
>> Hi,
>> I am trying to perform some analysis on the HTTP body. For regular
>> messages I am accumulating the http body using http_entity_data
>> and http_end_entity events. However, this doesn't seem to work for
>> multi-part post message. How do I accumulate multi-part post messages. Any
>> help is appreciated. Thanks.
>>
>> Dk.
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170825/493c3a47/attachment.html
More information about the Bro
mailing list