[Zeek] http body q.
Jon Siwek
jsiwek at corelight.com
Tue Jul 30 09:41:47 PDT 2019
On Mon, Jul 29, 2019 at 6:59 PM Dk Jack <dnj0496 at gmail.com> wrote:
>> This seems to work fine for small bodies. However, for large bodies, I noticed that the log gets written without the body getting encoded.
For performance reasons, there's an option which throttles the maximum
amount of data provided in entity_data events to 1500 bytes by
default:
https://docs.zeek.org/en/stable/scripts/base/init-bare.bro.html#id-http_entity_data_delivery_size
So you can see if changing that `http_entity_data_delivery_size`
option works for you.
> Is there something I can do to ensure my end_entity event is invoked before http_log event is called? Any input is appreciated. Thanks.
I think normally that should not be the order of things. Might be
easier to explain what's going on if you provide an example script and
pcap that reproduces what you are seeing.
- Jon
More information about the Zeek
mailing list