Seth, >> Is there somewhere else you could stash the information that you need?
Yes, I re-worked the script yesterday to redef/extend the HTTP::Info record and store the information there. But I notice it works differently than before, and I must do some extra effort to store it in the HTTP::Info record. Originally, in my 'icap_header' event handler within main.bro, I would check c?$http and create one if it did not exist yet for this connection. Within the same event, if the ICAP header is 'X-Authenticated-User', then I would copy that value into the modified 'conn_id' record within the 'c$http$id$orig_u' field. Easy peasy, the orig_u column would be added to every log file that prints the conn_id record, and that column would contain the correct value. But what I encountered yesterday when extending the HTTP::Info record to include the 'orig_u' field, it did not work so easily. Within the 'icap_header' event handler, I did everything the same except that I copied the value into 'c$http$orig_u' field (instead of 'c$http$id$orig_u'). However, it behaved differently: while the orig_u column would be added as the final column of the http.log (as expected), the value would be a dash '-', as if the value was unset. This was troubling me because I explicitly set the value within the 'icap_header' event handler. To remedy this, I had to create an event handler for 'http_request' and therein set the value of 'c$http$orig_u' accordingly. Fortunately, this worked, but I wonder why it did not work within 'icap_header', why the value was lost? Thanks! Mark I. Fernandez -----Original Message----- From: Seth Hall [mailto:s...@icir.org] Sent: Thursday, September 22, 2016 10:37 AM To: Fernandez, Mark I <mfernan...@mitre.org> Cc: bro-dev@bro.org Subject: Re: [Bro-Dev] ICAP Analyzer Design Guidance > On Sep 21, 2016, at 5:03 PM, Fernandez, Mark I <mfernan...@mitre.org> wrote: > > Design guidance: is it acceptable to redefine/extend the ‘conn_id’ record as > described above? You probably don't want to extend the conn_id record. There are some cases where it can cause trouble doing lookups because the conn_id is used at a table index in a lot of places. Is there somewhere else you could stash the information that you need? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ _______________________________________________ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
