You can get the response status in the HTTP_RESPONSE event, but you have to get the Host and URI from a clientside event. This means you have to save the URI for every request to that server. Here's an example:
when HTTP_REQUEST {
use IP::addr to compare Host header value with the IP we're looking for
if {[IP::addr [HTTP::header value Host] equals 1.1.1.1]}{
for a match, save the URI to log if the response is a 400
set uri [HTTP::uri]
}
}
when HTTP_RESPONSE {
check if HTTP response status is a 400
if {[HTTP::status] == 400}{
Log the client IP address and the URI
log local0. "[IP::client_addr] -> $uri generated 400 response"
}
}
I didn't test this, but it looks right.
Aaron