HTTP traffic logging

Hello,

I am interested in logging full* HTTP traffic content into log files/SIEM solution for inspection on later date.

Scenario would be to parse plaintext/decrypted HTTP traffic with Bro and store source/dest, uri, POST/GET data values. This is for historical search for malicious content on later date in the SIEM solution.

Critical parts are src, dst, URI, POST/GET data that is submitted.

I am currently going through Bro documentation but cant find any info on how can I do this. I am looking at https://www.bro.org/sphinx/scripts/base/bif/plugins/Bro_HTTP.events.bif.bro.html

As I understand the content of POST data is stored in HTTP request so I would need to use http_request or http_entity_data.
Also I am pretty new to Bro so I’m not even sure how to start with this.My end goal would be to have a log that looks something like this:

timestamp, method, src_ip, src_port, dst_ip, dst_port, uri, data(GET/POST, key value pairs like name=mike&occupation=driver).


Best Regards,

Gediminas Margis,

PGP Key-ID: 0xE6D92FE2FA3AD133 http://keyserver1.pgp.com/vkd/DownloadKey.event?keyid=0xE6D92FE2FA3AD133
77BD 9F67 F1CF 72B0 7273 E086 E6D9 2FE2 FA3A D133

Gediminas,

The folks at Broala have written a script that logs POST data. I think this does most of what you’re looking for:

https://github.com/broala/bro-snippets/blob/master/http-add-post-bodies.bro

You might want to consider adding additional logic to that script to selectively log POST bodies. Depending on your environment POST can get big.

-AK