[Bro] files.log - no filename over http
Seth Hall
seth at corelight.com
Thu Aug 23 07:38:49 PDT 2018
On 21 Aug 2018, at 16:39, Seth Hall wrote:
> On 21 Aug 2018, at 16:16, Azoff, Justin S wrote:
>
>> It wouldn't be that hard to write a script that sets the filename to
>> the last component of the uri path though, if that's what
>> you really wanted.
>
> I need to write a script for people to test.
A little late, but here is a script that adds a bunch of file names for
files over HTTP. If some people can run it and we get feedback I think
we can target this change for 2.6.
https://gist.github.com/sethhall/727ac36a630a642ca941661db68b87f4
For those that don't want to click on it, it works by watching for ETAG
headers which are typically generated from the file timestamp and inode
number of the file. It appears that web apps don't tend to include this
header and my testing showed that it was pretty reliable about only
logging things that were real file names.
Let me know how it goes if anyone runs this! Lots of new file names in
files.log. :)
.Seth
--
Seth Hall * Corelight, Inc * www.corelight.com
More information about the Bro
mailing list