[Zeek] http body q.
Dk Jack
dnj0496 at gmail.com
Mon Jul 29 18:56:46 PDT 2019
Sorry, hit send before I finished my message.
Is there something I can do to ensure my end_entity event is invoked before
http_log event is called? Any input is appreciated. Thanks.
Dk.
On Mon, Jul 29, 2019 at 6:54 PM Dk Jack <dnj0496 at gmail.com> wrote:
> Hi,
> I am trying to understand the behavior of bro with respect to logging http
> request when the http request has a large body.
>
> In my script, I am trying to log http body. I agree, http bodies can be
> large. However, I need the body for further parsing and analysis of traffic
> based on the content of the body content. To capture the body, I am setup
> events for http_entity_data and http_end_entity. In the 'http_entity_data'
> event, I am accumulating the body data into a request variable. In the
> end_entity event I am encoding body data using base64_encode (since body
> can include non printable characters).
>
> This seems to work fine for small bodies. However, for large bodies, I
> noticed that the log gets written without the body getting encoded. To
> debug, I added a log filter. In the log predicate call, I can see the http
> log writing happening before the end_entity even is called.
>
> Is this how it's supposed to work?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190729/216ca818/attachment.html
More information about the Zeek
mailing list