HTTP Post data

Hi all,

Is there a way to write the data(body) of a HTTP Post request to the http.log? Or another log file?

Thank you,

Will

Is there a way to write the data(body) of a HTTP Post request to the
http.log? Or another log file?

Yes, that's possible. You would have to reassemble the data from the
body across the http_entity_* events. Here is an example of how one
could do it:

https://github.com/mavam/brospects/blob/master/bro/bodies.bro

    Matthias

Very cool!

I will check this out. We have had some interesting data in forms that are being submitted.

Thank you,

Will

This is important enough that the Bro team might want to work on
something that's on by default. Specifically, many attackers hide
SQLi in POST params, so auto-extracting and logging some default,
finite limit of POST params into the HTTP log would be a big win for
the community.

Yep, I've done that before and (again!) it's another source of perspective change on network traffic.

Regarding the SQLi detection, I've been planning on extending the SQLi detection script to cover POST data for a long time. Adding post data to the logs is at least easy. I attached a script which will just blindly add a configurable amount of data to your http.log.

I'm not so sure it would ever be turned on by default, but we can certainly consider including a script that does this. It's a load statement away from being enabled that way. :wink:

http-extract-post.bro (574 Bytes)