Hello,
im trying to log actual response body in to the log ( http.log ) and i wrote a script with chatgpt to do that for me
code: @load base/protocols/http
redef record HTTP::Info += {
response_body: string &log &optional;
};
global http_response_bodies: table[string] of string = {};
event http_entity_data(c: connection, is_orig: bool, length: count, data: string) {
if (!is_orig) { # Only capture responder (server) data
if (c$uid in http_response_bodies) {
http_response_bodies[c$uid] += data;
} else {
http_response_bodies[c$uid] = data;
}
}
}
event http_reply(c: connection, version: string, code: count, reason: string) {
if (c$uid in http_response_bodies) {
local body = http_response_bodies[c$uid];
if (|body| > 0) { # Ensure the body is not empty
print fmt(“Captured response body for connection %s: %s”, c$id$orig_h, body);
c$http$response_body = body;
}
delete http_response_bodies[c$uid];
}
}
but it did not work at all as expected , anybody can help me to fix or give me a way to log the response body ( its text with md5 hash ) in to the http.log?
http_reply happens before the http_entity_data event. If you look at http/main.zeek, you’ll see you should’ve used http_message_done instead. If you use that event for the second part, the body is logged in my experiments here. The MD5 hash should just be:
c$http$response_md5 = md5_hash(body)
The script can be a bit improved: You don’t need the global http_response_bodies (can just build up the variable attached to the current HTTP::Info). Also, if you’re monitoring a lot of HTTP traffic, you will likely overload you SIEM system. http_entity_data is a pretty expensive event for Zeek, too. Mostly, be aware of potential performance issues.
update:
i fixed it and now its response value get hashed in to base64
thx , now im trying to extract content_type from a pcap file , that its content_type is “application/x-www-form-urlencoded” but zeek show orig_mime_type “text/plain” , in wireshark it show it like this:
and in http.log , it did not contain the response ( frame 3266 in pcap) it just logged the selected frame in wireshark
i checked conn.log too it contain some resp byte and it have some missing byte ( every time i run the zeek to analyze the pcap) and every time it have same amount of missing byte, for fixing it , how can i edit the protocol/http/main.zeek to fix the logging problem ( or anywhere ) ? is it possible to fix this issue i described here?
i see possible spilit routing in the wierd.log , but in tcpdump and wireshark it pars totally ok.
sorry for long reply
