[Zeek] http body q.
Dk Jack
dnj0496 at gmail.com
Mon Jul 29 18:54:21 PDT 2019
Hi,
I am trying to understand the behavior of bro with respect to logging http
request when the http request has a large body.
In my script, I am trying to log http body. I agree, http bodies can be
large. However, I need the body for further parsing and analysis of traffic
based on the content of the body content. To capture the body, I am setup
events for http_entity_data and http_end_entity. In the 'http_entity_data'
event, I am accumulating the body data into a request variable. In the
end_entity event I am encoding body data using base64_encode (since body
can include non printable characters).
This seems to work fine for small bodies. However, for large bodies, I
noticed that the log gets written without the body getting encoded. To
debug, I added a log filter. In the log predicate call, I can see the http
log writing happening before the end_entity even is called.
Is this how it's supposed to work?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190729/9b10fc0f/attachment.html
More information about the Zeek
mailing list