HTTP traffic logging


I am interested in logging full* HTTP traffic content into log files/SIEM solution for inspection on later date.

Scenario would be to parse plaintext/decrypted HTTP traffic with Bro and store source/dest, uri, POST/GET data values. This is for historical search for malicious content on later date in the SIEM solution.

Critical parts are src, dst, URI, POST/GET data that is submitted.

I am currently going through Bro documentation but cant find any info on how can I do this. I am looking at

As I understand the content of POST data is stored in HTTP request so I would need to use http_request or http_entity_data.
Also I am pretty new to Bro so I’m not even sure how to start with this.My end goal would be to have a log that looks something like this:

timestamp, method, src_ip, src_port, dst_ip, dst_port, uri, data(GET/POST, key value pairs like name=mike&occupation=driver).

Best Regards,

Gediminas Margis,

PGP Key-ID: 0xE6D92FE2FA3AD133
77BD 9F67 F1CF 72B0 7273 E086 E6D9 2FE2 FA3A D133


The folks at Broala have written a script that logs POST data. I think this does most of what you’re looking for:

You might want to consider adding additional logic to that script to selectively log POST bodies. Depending on your environment POST can get big.