http multi-part

Hi,
I am trying to perform some analysis on the HTTP body. For regular messages I am accumulating the http body using http_entity_data and http_end_entity events. However, this doesn’t seem to work for multi-part post message. How do I accumulate multi-part post messages. Any help is appreciated. Thanks.

Dk.

Hi:

The attached policy should help you. It assembles multipart HTTP POSTs, and performs regular expression matching on the POST contents.

Jim

http-sensitive_POSTs.bro (2.77 KB)

Hi Jim,
I am doing something very similar to what you are doing in your script. However, I am unable to capture the body when the content-type is:

Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n

When I use entity_data and end_entity event functions, what I accumulate for body when I receive a multi-part body is just a small string:

YWFhYWFh

However, I know my body is much larger. I’ve copy pasted the wireshark output of the multi-part content to the end of this email.

I see there are mime_xxx functions. Should I be using them to capture multi-part content. If they should be used, any help in how they should be used would be most appreciated. Thanks.

Dk.

[HTTP request 1/1]
File Data: 736 bytes
MIME Multipart Media Encapsulation, Type: multipart/form-data, Boundary: “---- WebKitFormBoundarygsgnAl2Dz3rduY2p”
[Type: multipart/form-data]
First boundary: ------WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
Encapsulated multipart part:
Content-Disposition: form-data; name=“success_url”\r\n\r\n
Boundary: \r\n------WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
Encapsulated multipart part:
Content-Disposition: form-data; name=“error_url”\r\n\r\n
Boundary: \r\n------WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
Encapsulated multipart part:
Content-Disposition: form-data; name=“firstname”\r\n\r\n
Data (1 byte)

0000 61 a
[Length: 1]
Boundary: \r\n------WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
Encapsulated multipart part:
Content-Disposition: form-data; name=“lastname”\r\n\r\n
Data (1 byte)

0000 62 b
[Length: 1]
Boundary: \r\n------WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
Encapsulated multipart part:
Content-Disposition: form-data; name=“email”\r\n\r\n
Data (7 bytes)

0000 62 40 63 2e 63 6f 6d b@c.com
[Length: 7]
Boundary: \r\n------WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
Encapsulated multipart part:

Content-Disposition: form-data; name=“password”\r\n\r\n
Data (6 bytes)

0000 61 61 61 61 61 61 aaaaaa
[Length: 6]
Boundary: \r\n------WebKitFormBoundarygsgnAl2Dz3rduY2p\r\n
Encapsulated multipart part:
Content-Disposition: form-data; name=“confirmation”\r\n\r\n
Data (6 bytes)

0000 61 61 61 61 61 61 aaaaaa
[Length: 6]
Last boundary: \r\n------WebKitFormBoundarygsgnAl2Dz3rduY2p–\r\n

Perhaps posting the script you are using and a sample pcap might help to debug the issue you are having.

Cheers,

Jim

I did some more investigation and it seems like my understanding how bro works
was incomplete.

What I observed is, for each entity/boundary in a multipart form request, Bro is
raising a unique pair http_entity_data and http_end_entity events. For example,
if you send a curl request as shown below:

curl -v --form “key1=value1” --form “key2=value2”, --form “key3=value3”

then bro is raising three pairs of http_entity_data and http_end_entity events. I was

assuming I’d just get one pair of events. Since I was expecting only one event, I was
over writing the body I had saved from the previous event. As a result, my body
variable was retaining only the last part of the multi-part form.