>> Is there somewhere else you could stash the information that you need?

Yes, I re-worked the script yesterday to redef/extend the HTTP::Info record and 
store the information there.  But I notice it works differently than before, 
and I must do some extra effort to store it in the HTTP::Info record.

Originally, in my 'icap_header' event handler within main.bro, I would check 
c?$http and create one if it did not exist yet for this connection.  Within the 
same event, if the ICAP header is 'X-Authenticated-User', then I would copy 
that value into the modified 'conn_id' record within the 'c$http$id$orig_u' 
field.  Easy peasy, the orig_u column would be added to every log file that 
prints the conn_id record, and that column would contain the correct value.

But what I encountered yesterday when extending the HTTP::Info record to 
include the 'orig_u' field, it did not work so easily.  Within the 
'icap_header' event handler, I did everything the same except that I copied the 
value into 'c$http$orig_u' field (instead of 'c$http$id$orig_u').  However, it 
behaved differently: while the orig_u column would be added as the final column 
of the http.log (as expected), the value would be a dash '-', as if the value 
was unset.  This was troubling me because I explicitly set the value within the 
'icap_header' event handler.  To remedy this, I had to create an event handler 
for 'http_request' and therein set the value of 'c$http$orig_u' accordingly.  
Fortunately, this worked, but I wonder why it did not work within 
'icap_header', why the value was lost?

Mark I. Fernandez

-----Original Message-----
From: Seth Hall [] 
Sent: Thursday, September 22, 2016 10:37 AM
To: Fernandez, Mark I <>
Subject: Re: [Bro-Dev] ICAP Analyzer Design Guidance

> On Sep 21, 2016, at 5:03 PM, Fernandez, Mark I <> wrote:
> Design guidance: is it acceptable to redefine/extend the ‘conn_id’ record as 
> described above?

You probably don't want to extend the conn_id record.  There are some cases 
where it can cause trouble doing lookups because the conn_id is used at a table 
index in a lot of places.

Is there somewhere else you could stash the information that you need?


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

bro-dev mailing list

Reply via email to