[Zeek] Need help splitting HTTP log

Justin Azoff justin at corelight.com
Mon Jun 29 06:04:22 PDT 2020 

You're close, but you're using 'c$http' which doesn't exist there.
Instead use the 'rec' variable that is the current HTTP::Info record
named in the line above

On Mon, Jun 29, 2020 at 4:11 AM Jorge Garcia Rodriguez <jgarciar at sia.es> wrote:
>
> Hi everyone!
>
>
>
> Im trying to Split the http logs in two.
>
>
>
> What I want to accomplish is that when the http event tags have the “URI_SQLI”, instead of being logged in the normal http.log I want it to be logged in a new http-sqli.log.
>
>
>
> I have tried a lot of different ways but with no success, since this is the very first script that im writing for Zeek.
>
>
>
> This is one of the ways that i´ve tried:
>
>
>
> event zeek_init()
>
>         {
>
>         Log::remove_default_filter(HTTP::LOG);
>
>         Log::add_filter(HTTP::LOG, [$name = "http-sqli",
>
>                                     $path_func(id: Log::ID, path: string, rec: HTTP::Info) = {
>
>                                         return ([URI_SQLI] in c$http$tags ? "http-sqli" : "http");
>
>                                     }]);
>
>                                }
>
>
>
> The problem here seems that I cannot refer properly to the “tags” field.
>
>
>
> Thanks for your time.
>
>
>
> Regards!
>
>
>
> Jorge García Rodríguez
> Technical Consultant
> Security Infrastructures
> jgarciar at sia.es
>
> Grupo SIA
> Avda.Europa,2 - Alcor Plaza, Edificio B - Parque Oeste Alcorcón
> 28922 Alcorcón - Madrid
> Tlf: +34 902 480 580   Fax: +34 91 307 79 80
> www.siainternational.com
>
> delivering value
>
> This e-mail and any attached files are intended solely for the addresse/s identified herein. It may contain confidential and/or legally privileged information and may not necessarily represent the opinion of SIA.
>
> No legally binding commitments will be created by this E-mail message. Where we intend to create legally binding commitments these will be made through hard copy correspondence or documents. If you receive this message by mistake, please immediately notify the sender and delete it since you are not authorized to use, disclose, distribute, print or copy all or part of the contained information Thank you. It is understood that the message was sent to you accidentally, although you appear as the addressee, you can see from the frame of existing relations that you were not the final addressee.
>
>
>
>
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



-- 
Justin

More information about the Zeek mailing list