[Bro] adding fields to HTTP log - cluster environment

william de ping bill.de.ping at gmail.com
Sun Mar 12 05:56:37 PDT 2017


Hi everyone,

I am trying to add a new field to HTTP log.
I want to check if orig_h is in a table, if true then add the value from
that table to the record.

I have a script that works in a single bro instance, but does not work in a
cluster environment:

@load base/protocol/http

redef record HTTP::Info += {
 field: string &log &optional;
}

event http_message_done(c: connection, is_orig: bool, stat:
http_message_stat)
{
 if ( c$http$id$orig_h in test_table )
  {
  c$http$field = test_table[c$http$id$orig_h];
  }
}

I am not sure why this script works with bro in a single instance mode but
not in cluster mode.
Also, giving a higher priority to http_message_done event will override the
actual event in main.bro under http ?

thanks
B
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170312/8ea76818/attachment.html 


More information about the Bro mailing list