So I wanted some Bro to capture the contents of HTTP POST’s, and found in the archives that Seth had already written such a thing:
module HTTP;
export {
The number of bytes that will be included in the http
log from the client body.
const post_body_limit = 1024;
redef record Info += {
post_body: string &log &optional;
};
}
event http_entity_data(c: connection, is_orig: bool, length: count, data: string)
{
if ( is_orig )
{
if ( ! c$http?$post_body )
c$http$post_body = sub_bytes(data, 0, post_body_limit);
else if ( |c$http$post_body| < post_body_limit )
c$http$post_body = string_cat(c$http$post_body, sub_bytes(data, 0, post_body_limit-|c$http$post_body|));
}
}
So now my question is: in the output of the data, can we ensure that ALL data is hex encoded, even if it’s part of the ASCII character set? I need to put this data into a feed, and not being able to count on a delimiter is problematic…
Thanks,
Jesse