[Bro] http multi-part
Jim Mellander
jmellander at lbl.gov
Sat Aug 26 10:41:02 PDT 2017
Perhaps posting the script you are using and a sample pcap might help to
debug the issue you are having.
Cheers,
Jim
On Fri, Aug 25, 2017 at 4:52 PM, Dk Jack <dnj0496 at gmail.com> wrote:
> Hi Jim,
> I am doing something very similar to what you are doing in your script.
> However, I am unable to capture the body when the content-type is:
>
> Content-Type: multipart/form-data; boundary=----
> WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
>
> When I use entity_data and end_entity event functions, what I accumulate
> for body when I receive a multi-part body is just a small string:
>
> YWFhYWFh
>
> However, I know my body is much larger. I've copy pasted the wireshark
> output of the multi-part content to the end of this email.
>
> I see there are mime_xxx functions. Should I be using them to capture
> multi-part content. If they should be used, any help in how they should be
> used would be most appreciated. Thanks.
>
> Dk.
>
> [HTTP request 1/1]
> File Data: 736 bytes
> MIME Multipart Media Encapsulation, Type: multipart/form-data, Boundary:
> "---- WebKitFormBoundarygsgnAl2Dz3rduY2p"
> [Type: multipart/form-data]
> First boundary: ------WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
> Encapsulated multipart part:
> Content-Disposition: form-data; name="success_url"\r\n\r\n
> Boundary: \r\n------WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
> Encapsulated multipart part:
> Content-Disposition: form-data; name="error_url"\r\n\r\n
> Boundary: \r\n------WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
> Encapsulated multipart part:
> Content-Disposition: form-data; name="firstname"\r\n\r\n
> Data (1 byte)
>
> 0000 61 a
> Data: 61
> [Length: 1]
> Boundary: \r\n------WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
> Encapsulated multipart part:
> Content-Disposition: form-data; name="lastname"\r\n\r\n
> Data (1 byte)
>
> 0000 62 b
> Data: 62
> [Length: 1]
> Boundary: \r\n------WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
> Encapsulated multipart part:
> Content-Disposition: form-data; name="email"\r\n\r\n
> Data (7 bytes)
>
> 0000 62 40 63 2e 63 6f 6d b at c.com
> Data: 6240632e636f6d
> [Length: 7]
> Boundary: \r\n------WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
> Encapsulated multipart part:
> Content-Disposition: form-data; name="password"\r\n\r\n
> Data (6 bytes)
>
> 0000 61 61 61 61 61 61 aaaaaa
> Data: 616161616161
> [Length: 6]
> Boundary: \r\n------WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
> Encapsulated multipart part:
> Content-Disposition: form-data; name="confirmation"\r\n\r\n
> Data (6 bytes)
>
> 0000 61 61 61 61 61 61 aaaaaa
> Data: 616161616161
> [Length: 6]
> Last boundary: \r\n------WebKitFormBoundarygsgnAl2Dz3rduY2p--\r\n
>
>
> On Fri, Aug 25, 2017 at 11:21 AM, Jim Mellander <jmellander at lbl.gov>
> wrote:
>
>> Hi:
>>
>> The attached policy should help you. It assembles multipart HTTP POSTs,
>> and performs regular expression matching on the POST contents.
>>
>> Jim
>>
>>
>> On Thu, Aug 24, 2017 at 6:55 PM, Dk Jack <dnj0496 at gmail.com> wrote:
>>
>>> Hi,
>>> I am trying to perform some analysis on the HTTP body. For regular
>>> messages I am accumulating the http body using http_entity_data
>>> and http_end_entity events. However, this doesn't seem to work for
>>> multi-part post message. How do I accumulate multi-part post messages. Any
>>> help is appreciated. Thanks.
>>>
>>> Dk.
>>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170826/1474c567/attachment-0001.html
More information about the Bro
mailing list