HTTP CSP Parser

Package functionality and architecture

This package will:

Parse HTTP Content-Security-Policy reports. After parsing is done it will fire an HTTP_CSP::Report event that can be used later to extend basic functionality,
Log every (or only some) report to csp_report.log file,
Use Bro Intelligence Framework to cross check domains in blocked-uri field against your threat intel.

Package contains 3 modules:

You can skip loading optional files in case you don't want to log reports or use intel framework.

You can also redefine following constants to customize package behaviour.

HTTP_CSP::all_sites - parse every report seen (look for csp-report keyword in every HTTP POST request),
HTTP_CSP::monitored_sites - parse only reports sent to specified hosts.