Hi everyone!
We have integrated the plugin to detect xss attacks. However we find useful to include some of the fields in the http.log in the xss.log. For example we want to add the field “referrer” existing in the http.log to the xss.log.
I have been trying to include this field in the xss.log as following:
export {
redef enum Log::ID += {LOG};
type Info: record {
referrer: string &log &optional;
};
event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) {
local xss_payload = sanitize(unescaped_URI);
if ( match_xss_reflected in xss_payload) {
local rec: XSS::Info = [
$ts=network_time(),
$id=c$id,
$proto=get_port_transport_proto(c$id$resp_p),
$method=method,
$xss_payload=xss_payload,
$referrer=c$http$referrer
];
Log::write(XSS::LOG, rec);
}
}
This way “Zeekctl deploy” shows no errors, but the xss.zeek script doesn’t print new events.
Can someone help me with this problem?
Thanks for your time.
Best regards!
