Raw HTTP Headers

Andrew_Klaus · August 25, 2019, 4:32am

Hello,

I’d like to write a script for HTTP requests, but I need the raw and untruncated headers to do this. I can’t seem to find an event that will give me this data to work with. I’ve looked at http_all_headers and http_header, but they still strip whitespace.

Is there any (current) way of doing this? It’d be nice to be able to do this without having to modify the analyzer.

Thanks!
Andrew

Seth_Hall2 · August 28, 2019, 1:02am

I believe that this isn't available since (as your already discovered), the analyzer strips whitespace. The only option would be to modify the analyzer or write a new one.

.Seth

Andrew_Klaus · August 28, 2019, 2:01am

Thanks Seth!

I was hoping to have a new Zeek script written for the Zeek contest, but it doesn’t look like modules that need source code modifications will be considered.

Andrew

Seth_Hall2 · August 29, 2019, 12:36pm

Aw! Sorry to hear that. It's equally frustrating for us when people run into problems that can't be fixed merely with scripts. Hopefully in the future we'll have a better solution for you. Hopefull you can figure out a different approach or some other script for the contest!

.Seth

Topic		Replies	Views
Reporting problem in http_header event Zeek	2	55	May 6, 2022
Best way to modify bundled scripts Zeek	3	162	February 15, 2023
Want output all http logs Zeek development	3	240	June 26, 2023
(no subject) Zeek	1	59	May 6, 2022
- HTTP extract files from wget Zeek	2	103	May 6, 2022

Raw HTTP Headers

Related Topics