[Bro] files.log - no filename over http

[Izik Birka]

Hi Seth,
Just run it , works very good !
Thanks!

-----Original Message-----
From: Seth Hall <seth at corelight.com> 
Sent: Thursday, August 23, 2018 5:39 PM
To: Azoff, Justin S <jazoff at illinois.edu>
Cc: Izik Birka <Izik.Birka at hot.net.il>; bro at bro.org
Subject: Re: [Bro] files.log - no filename over http



On 21 Aug 2018, at 16:39, Seth Hall wrote:

> On 21 Aug 2018, at 16:16, Azoff, Justin S wrote:
>
>> It wouldn't be that hard to write a script that sets the filename to 
>> the last component of the uri path though, if that's what you really 
>> wanted.
>
> I need to write a script for people to test.

A little late, but here is a script that adds a bunch of file names for files over HTTP.  If some people can run it and we get feedback I think we can target this change for 2.6.
	https://gist.github.com/sethhall/727ac36a630a642ca941661db68b87f4

For those that don't want to click on it, it works by watching for ETAG headers which are typically generated from the file timestamp and inode number of the file.  It appears that web apps don't tend to include this header and my testing showed that it was pretty reliable about only logging things that were real file names.

Let me know how it goes if anyone runs this!  Lots of new file names in files.log. :)

   .Seth

--
Seth Hall * Corelight, Inc * www.corelight.com

This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain materials protected by copyright or information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or agreement.

If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication by error, notify the sender immediately and delete this message immediately.

Thank you.