[Bro] http multi-part

Dk Jack dnj0496 at gmail.com
Mon Aug 28 11:13:30 PDT 2017 

I did some more investigation and it seems like my understanding how bro
works
was incomplete.

What I observed is, for each entity/boundary in a multipart form request,
Bro is
raising a unique pair http_entity_data and http_end_entity events. For
example,
if you send a curl request as shown below:

curl -v --form "key1=value1" --form "key2=value2", --form "key3=value3"

then bro is raising three pairs of http_entity_data and http_end_entity
events. I was
assuming I'd just get one pair of events. Since I was expecting only one
event, I was
over writing the body I had saved from the previous event. As a result, my
body
variable was retaining only the last part of the multi-part form.


On Sat, Aug 26, 2017 at 10:41 AM, Jim Mellander <jmellander at lbl.gov> wrote:

> Perhaps posting the script you are using and a sample pcap might help to
> debug the issue you are having.
>
> Cheers,
>
> Jim
>
> On Fri, Aug 25, 2017 at 4:52 PM, Dk Jack <dnj0496 at gmail.com> wrote:
>
>> Hi Jim,
>> I am doing something very similar to what you are doing in your script.
>> However, I am unable to capture the body when the content-type is:
>>
>> Content-Type: multipart/form-data; boundary=----WebKitFormBoundar
>> ygsgnAl2Dz3rduY2p\r\n
>>
>> When I use entity_data and end_entity event functions, what I accumulate
>> for body when I receive a multi-part body is just a small string:
>>
>> YWFhYWFh
>>
>> However, I know my body is much larger. I've copy pasted the wireshark
>> output of the multi-part content to the end of this email.
>>
>> I see there are mime_xxx functions. Should I be using them to capture
>> multi-part content. If they should be used, any help in how they should be
>> used would be most appreciated. Thanks.
>>
>> Dk.
>>
>>     [HTTP request 1/1]
>>     File Data: 736 bytes
>> MIME Multipart Media Encapsulation, Type: multipart/form-data, Boundary:
>> "----                      WebKitFormBoundarygsgnAl2Dz3rduY2p"
>>     [Type: multipart/form-data]
>>     First boundary: ------WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
>>     Encapsulated multipart part:
>>         Content-Disposition: form-data; name="success_url"\r\n\r\n
>>     Boundary: \r\n------WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
>>     Encapsulated multipart part:
>>         Content-Disposition: form-data; name="error_url"\r\n\r\n
>>     Boundary: \r\n------WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
>>     Encapsulated multipart part:
>>         Content-Disposition: form-data; name="firstname"\r\n\r\n
>>         Data (1 byte)
>>
>> 0000  61                                                a
>>             Data: 61
>>             [Length: 1]
>>     Boundary: \r\n------WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
>>     Encapsulated multipart part:
>>         Content-Disposition: form-data; name="lastname"\r\n\r\n
>>         Data (1 byte)
>>
>> 0000  62                                                b
>>             Data: 62
>>             [Length: 1]
>>     Boundary: \r\n------WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
>>     Encapsulated multipart part:
>>         Content-Disposition: form-data; name="email"\r\n\r\n
>>         Data (7 bytes)
>>
>> 0000  62 40 63 2e 63 6f 6d                              b at c.com
>>             Data: 6240632e636f6d
>>             [Length: 7]
>>     Boundary: \r\n------WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
>>     Encapsulated multipart part:
>>         Content-Disposition: form-data; name="password"\r\n\r\n
>>         Data (6 bytes)
>>
>> 0000  61 61 61 61 61 61                                 aaaaaa
>>             Data: 616161616161
>>             [Length: 6]
>>     Boundary: \r\n------WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
>>     Encapsulated multipart part:
>>         Content-Disposition: form-data; name="confirmation"\r\n\r\n
>>         Data (6 bytes)
>>
>> 0000  61 61 61 61 61 61                                 aaaaaa
>>             Data: 616161616161
>>             [Length: 6]
>>     Last boundary: \r\n------WebKitFormBoundarygsgnAl2Dz3rduY2p--\r\n
>>
>>
>> On Fri, Aug 25, 2017 at 11:21 AM, Jim Mellander <jmellander at lbl.gov>
>> wrote:
>>
>>> Hi:
>>>
>>> The attached policy should help you. It assembles multipart HTTP POSTs,
>>> and performs regular expression matching on the POST contents.
>>>
>>> Jim
>>>
>>>
>>> On Thu, Aug 24, 2017 at 6:55 PM, Dk Jack <dnj0496 at gmail.com> wrote:
>>>
>>>> Hi,
>>>> I am trying to perform some analysis on the HTTP body. For regular
>>>> messages I am accumulating the http body using http_entity_data
>>>> and http_end_entity events. However, this doesn't seem to work for
>>>> multi-part post message. How do I accumulate multi-part post messages. Any
>>>> help is appreciated. Thanks.
>>>>
>>>> Dk.
>>>>
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170828/7320d3fb/attachment.html

More information about the Bro mailing list