trace and scripts Re: [Bro] http_request event
rpang at cs.princeton.edu
Sun Jun 19 19:24:09 PDT 2005
Could you capture a piece of trace using 'tcpdump -w' (using '-s 5000'
to make sure complete packets are capture) and run bro over the trace
(with -r)? And if it doesn't work, please send us the trace and policy
scripts you modified. It will help us understand what the problem is.
On Jun 19, 2005, at 10:05 PM, bchen at cs.ucf.edu wrote:
> Hi Vern,
> Thank you for your reply. I have actually loaded all http-related
> .bro files,
> including http, http-request, http-reply, http-body, etc. I load them
> in mt.bro
> and run Bro: ./bro -i eth0 mt. I then access a web server from the
> same machine
> where Bro is running. http-request and http-reply event handlers have
> never been
> called. Please be noted that I am doing these experiments in a close
> environment, a small LAN, which is connected together with a hub and
> disconnected from Internet. There are no DNS servers and Gateway here.
> Communicatin is basically point-to-point. Is this environment
> affecting the
> functionality of the http analyzer?
> Quoting Vern Paxson <vern at icir.org>:
>> What exactly are you doing in your script? Note that "@load http"
>> do it - you need "@load http-request" or "@load http-reply" to get
>> request/replies, respectively.
> Bro mailing list
> bro at bro-ids.org
More information about the Bro