Enforce hex encoding in log output

jessebowling · February 12, 2013, 4:38am

So I wanted some Bro to capture the contents of HTTP POST’s, and found in the archives that Seth had already written such a thing:

module HTTP;

export {

The number of bytes that will be included in the http

log from the client body.

const post_body_limit = 1024;

redef record Info += {
post_body: string &log &optional;
};

}

event http_entity_data(c: connection, is_orig: bool, length: count, data: string)
{
if ( is_orig )
{
if ( ! c$http?$post_body )
c$http$post_body = sub_bytes(data, 0, post_body_limit);
else if ( |c$http$post_body| < post_body_limit )
c$http$post_body = string_cat(c$http$post_body, sub_bytes(data, 0, post_body_limit-|c$http$post_body|));
}
}

So now my question is: in the output of the data, can we ensure that ALL data is hex encoded, even if it’s part of the ASCII character set? I need to put this data into a feed, and not being able to count on a delimiter is problematic…

Thanks,

Jesse

Seth_Hall3 · February 12, 2013, 5:06am

Just do this…

                if ( ! c$http?$post_body )
                        c$http$post_body = bytestring_to_hexstr(sub_bytes(data, 0, post_body_limit));
                else if ( |c$http$post_body| < post_body_limit )
                        c$http$post_body = string_cat(c$http$post_body, bytestring_to_hexstr(sub_bytes(data, 0, post_body_limit-|c$http$post_body|)));

.Seth

Topic		Replies	Views
http body q. Zeek	6	117	May 6, 2022
Zeek 6.1.1 http response body Zeek	2	152	February 14, 2024
Support for HTTP body extraction of originator Development development	8	70	May 6, 2022
http multi-part Zeek	5	77	May 6, 2022
http response encoded length ? Zeek	3	44	May 6, 2022

Enforce hex encoding in log output

The number of bytes that will be included in the http

log from the client body.

Related Topics