Problem adding a field from http.log to the xss.log
by Garcia Rodriguez, Jorge
Hi everyone!
We have integrated the plugin to detect xss attacks. However we find useful to include some of the fields in the http.log in the xss.log. For example we want to add the field "referrer" existing in the http.log to the xss.log.
I have been trying to include this field in the xss.log as following:
export {
redef enum Log::ID += {LOG};
type Info: record {
referrer: string &log &optional;
};
event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) {
local xss_payload = sanitize(unescaped_URI);
if ( match_xss_reflected in xss_payload) {
local rec: XSS::Info = [
$ts=network_time(),
$id=c$id,
$proto=get_port_transport_proto(c$id$resp_p),
$method=method,
$xss_payload=xss_payload,
$referrer=c$http$referrer
];
Log::write(XSS::LOG, rec);
}
}
This way "Zeekctl deploy" shows no errors, but the xss.zeek script doesn't print new events.
Can someone help me with this problem?
Thanks for your time.
Best regards!
[cid:image001.png@01D6EE49.E7A0D9B0]
Jorge García Rodríguez
Technical Consultant
Cybersecurity Services and Solutions - Protect
+34 902 480 580 | jgarciar(a)sia.es<mailto:jgarciar@sia.es>
________________________________
Este correo electrónico y, en su caso, cualquier fichero anexo al mismo, contiene información de carácter confidencial exclusivamente dirigida a su destinatario o destinatarios. Si no es vd. el destinatario indicado, queda notificado que la lectura, utilización, divulgación y/o copia sin autorización está prohibida en virtud de la legislación vigente. En el caso de haber recibido este correo electrónico por error, se ruega notificar inmediatamente esta circunstancia mediante reenvío a la dirección electrónica del remitente.
Evite imprimir este mensaje si no es estrictamente necesario.
This email and any file attached to it (when applicable) contain(s) confidential information that is exclusively addressed to its recipient(s). If you are not the indicated recipient, you are informed that reading, using, disseminating and/or copying it without authorisation is forbidden in accordance with the legislation in effect. If you have received this email by mistake, please immediately notify the sender of the situation by resending it to their email address.
Avoid printing this message if it is not absolutely necessary.