I am interested in logging full* HTTP traffic content into log files/SIEM solution for inspection on later date.
Scenario would be to parse plaintext/decrypted HTTP traffic with Bro and store source/dest, uri, POST/GET data values. This is for historical search for malicious content on later date in the SIEM solution.
Critical parts are src, dst, URI, POST/GET data that is submitted.
I am currently going through Bro documentation but cant find any info on how can I do this. I am looking at https://www.bro.org/sphinx/scripts/base/bif/plugins/Bro_HTTP.events.bif.bro.html
As I understand the content of POST data is stored in HTTP request so I would need to use http_request or http_entity_data.
Also I am pretty new to Bro so I’m not even sure how to start with this.My end goal would be to have a log that looks something like this:
timestamp, method, src_ip, src_port, dst_ip, dst_port, uri, data(GET/POST, key value pairs like name=mike&occupation=driver).
PGP Key-ID: 0xE6D92FE2FA3AD133 http://keyserver1.pgp.com/vkd/DownloadKey.event?keyid=0xE6D92FE2FA3AD133
77BD 9F67 F1CF 72B0 7273 E086 E6D9 2FE2 FA3A D133