[Bro] can't get the http analyzer to print anything

Jaideep Chandrashekar jaideep.chandrashekar at intel.com
Wed Aug 2 14:37:49 PDT 2006


Folks,
   I'm having trouble running the http analyzer (in Bro 1-1) and would
appreciate any help.

Running bro in offline mode with tcpdump file (contains several sessions
on port 80) as

 % bro -r trace_incl-http.pcap http

this creates an empty http log. NO http sessions show up!


When I run bro with -t, the tracefile generated does not have any http
events logged.

Digging deeper, I see that in Sessions.cc; NetSessions::NewConn(..)

//----snip-----//
	case 1080:
	case 3128:	// Default port of Squid Proxy Cache.
	case 8000:
	case 8080:
	case 8888:
		if ( http_request || http_reply )
			c = new HTTP_Conn(this, k, t, id, tp);

//-----snip----//

the condition in the _if_ always evaluates to a false.


*question*:   Are http_request and http_reply, which are called here,
defined somewhere? I couldn't grep for them in src/


I'm probably doing something very silly, but non-obvious:)

Any pointers to what I might be missing/doing wrong?
The pcap file and the (-t) trace file are attached.


If it helps, I've attached the tracefile and also the connection log (by
running the conn analyzer; this clearly shows http flows)

cheers,

-jc

-------------- next part --------------
0.000000 /local/bro/policy/bro.init:271	function called: open_log_file(tag = 'notice')
0.000000 /local/bro/policy/bro.init:266		function called: log_file_name(tag = 'notice')
0.000000 /local/bro/policy/bro.init:265			Builtin Function called: getenv(var = 'BRO_LOG_SUFFIX')
0.000000 /local/bro/policy/bro.init:265			Function return: 
0.000000 /local/bro/policy/bro.init:266			Builtin Function called: fmt(va_args = '%s.%s', vararg0 = 'notice', vararg1 = 'log')
0.000000 /local/bro/policy/bro.init:266			Function return: notice.log
0.000000 /local/bro/policy/bro.init:266		Function return: notice.log
0.000000 /local/bro/policy/bro.init:271		Builtin Function called: open(f = 'notice.log')
0.000000 /local/bro/policy/bro.init:271		Function return: <no value description>
0.000000 /local/bro/policy/bro.init:271	Function return: <no value description>
0.000000 /local/bro/policy/bro.init:271	function called: open_log_file(tag = 'http')
0.000000 /local/bro/policy/bro.init:266		function called: log_file_name(tag = 'http')
0.000000 /local/bro/policy/bro.init:265			Builtin Function called: getenv(var = 'BRO_LOG_SUFFIX')
0.000000 /local/bro/policy/bro.init:265			Function return: 
0.000000 /local/bro/policy/bro.init:266			Builtin Function called: fmt(va_args = '%s.%s', vararg0 = 'http', vararg1 = 'log')
0.000000 /local/bro/policy/bro.init:266			Function return: http.log
0.000000 /local/bro/policy/bro.init:266		Function return: http.log
0.000000 /local/bro/policy/bro.init:271		Builtin Function called: open(f = 'http.log')
0.000000 /local/bro/policy/bro.init:271		Function return: <no value description>
0.000000 /local/bro/policy/bro.init:271	Function return: <no value description>
0.000000 /local/bro/policy/pcap.bro:99	event called: bro_init()
0.000000 /local/bro/policy/pcap.bro:94		function called: update_default_pcap_filter()
0.000000 /local/bro/policy/pcap.bro:68			function called: build_default_pcap_filter()
0.000000 /local/bro/policy/pcap.bro:42				function called: join_filters(capture_filter = '', restrict_filter = '')
0.000000 /local/bro/policy/pcap.bro:42				Function return: tcp or udp or icmp
0.000000 /local/bro/policy/pcap.bro:68			Function return: tcp or udp or icmp
0.000000 /local/bro/policy/pcap.bro:88			Builtin Function called: precompile_pcap_filter(id = 'DefaultPcapFilter', s = 'tcp or udp or icmp')
0.000000 /local/bro/policy/pcap.bro:88			Function return: T
0.000000 /local/bro/policy/pcap.bro:79			function called: install_default_pcap_filter()
0.000000 /local/bro/policy/pcap.bro:73				Builtin Function called: install_pcap_filter(id = 'DefaultPcapFilter')
0.000000 /local/bro/policy/pcap.bro:73				Function return: T
1154393297.261665 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=28181/tcp, resp_h=10.3.254.131, resp_p=911/tcp], orig=[size=1342, state=5], resp=[size=900, state=5], start_time=1154393291.88183, duration=5.37856197357178, service=, addl=, hot=0, history=ShADadfF]')
1154393304.677602 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=28182/tcp, resp_h=10.3.254.131, resp_p=911/tcp], orig=[size=4031, state=5], resp=[size=4670, state=5], start_time=1154393292.12069, duration=12.5566198825836, service=, addl=, hot=0, history=ShADadfF]')
1154393304.677983 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=28183/tcp, resp_h=10.3.254.131, resp_p=911/tcp], orig=[size=1956, state=5], resp=[size=25693, state=5], start_time=1154393292.74115, duration=11.9364769458771, service=, addl=, hot=0, history=ShADadfF]')
1154393304.679720 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=10.3.254.131, orig_p=911/tcp, resp_h=143.183.247.174, resp_p=28182/tcp], orig=[size=0, state=6], resp=[size=0, state=0], start_time=1154393304.67961, duration=0.0, service=, addl=, hot=0, history=R]')
1154393304.679730 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=10.3.254.131, orig_p=911/tcp, resp_h=143.183.247.174, resp_p=28182/tcp], orig=[size=0, state=6], resp=[size=0, state=0], start_time=1154393304.67972, duration=0.0, service=, addl=, hot=0, history=R]')
1154393304.679852 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=10.3.254.131, orig_p=911/tcp, resp_h=143.183.247.174, resp_p=28183/tcp], orig=[size=0, state=6], resp=[size=0, state=0], start_time=1154393304.67973, duration=0.0, service=, addl=, hot=0, history=R]')
1154393304.679970 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=10.3.254.131, orig_p=911/tcp, resp_h=143.183.247.174, resp_p=28183/tcp], orig=[size=0, state=6], resp=[size=0, state=0], start_time=1154393304.67985, duration=0.0, service=, addl=, hot=0, history=R]')
1154393309.939261 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=28184/tcp, resp_h=10.3.254.131, resp_p=911/tcp], orig=[size=1242, state=6], resp=[size=3764, state=4], start_time=1154393299.47172, duration=4.93907022476196, service=, addl=, hot=0, history=ShADadFR]')
1154393312.232257 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=10.232.10.253, orig_p=3778/tcp, resp_h=143.183.247.174, resp_p=139/tcp], orig=[size=479, state=5], resp=[size=475, state=5], start_time=1154393312.10328, duration=0.128950119018555, service=, addl=, hot=0, history=ShDadFf]')
1154393312.251645 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=14747/tcp, resp_h=192.168.74.50, resp_p=445/tcp], orig=[size=275, state=5], resp=[size=260, state=5], start_time=1154393312.13517, duration=0.116455078125, service=, addl=, hot=0, history=ShADdFf]')
1154393317.231650 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=7031/tcp, resp_h=10.18.20.236, resp_p=80/tcp], orig=[size=2114, state=5], resp=[size=10815, state=5], start_time=1154393316.98869, duration=0.242847919464111, service=, addl=, hot=0, history=ShADdfF]')
1154393317.266156 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=7032/tcp, resp_h=10.18.20.236, resp_p=80/tcp], orig=[size=697, state=5], resp=[size=329, state=5], start_time=1154393317.23165, duration=0.027965784072876, service=, addl=, hot=0, history=ShADdfF]')
1154393320.583759 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=28185/tcp, resp_h=10.3.254.131, resp_p=911/tcp], orig=[size=4532, state=5], resp=[size=2831, state=5], start_time=1154393304.67798, duration=15.9043388366699, service=, addl=, hot=0, history=ShADadfF]')
1154393320.583785 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=10.3.254.131, orig_p=911/tcp, resp_h=143.183.247.174, resp_p=28185/tcp], orig=[size=0, state=6], resp=[size=0, state=0], start_time=1154393320.58376, duration=0.0, service=, addl=, hot=0, history=R]')
1154393323.055784 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=10.3.254.131, orig_p=911/tcp, resp_h=143.183.247.174, resp_p=28185/tcp], orig=[size=0, state=6], resp=[size=0, state=0], start_time=1154393320.58379, duration=0.0, service=, addl=, hot=0, history=R]')
1154393342.506722 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=20569/tcp, resp_h=143.183.93.145, resp_p=80/tcp], orig=[size=360, state=6], resp=[size=1976, state=4], start_time=1154393342.46757, duration=0.0390548706054688, service=, addl=, hot=0, history=ShADdR]')
1154393342.647980 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=20570/tcp, resp_h=143.183.93.145, resp_p=80/tcp], orig=[size=366, state=6], resp=[size=1976, state=4], start_time=1154393342.48488, duration=0.0218410491943359, service=, addl=, hot=0, history=ShADdR]')
1154393347.479410 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=28191/tcp, resp_h=10.3.254.131, resp_p=911/tcp], orig=[size=4873, state=5], resp=[size=3140, state=5], start_time=1154393323.31368, duration=24.1652369499207, service=, addl=, hot=0, history=ShADadfF]')
1154393347.480561 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=10.3.254.131, orig_p=911/tcp, resp_h=143.183.247.174, resp_p=28191/tcp], orig=[size=0, state=6], resp=[size=0, state=0], start_time=1154393347.48054, duration=0.0, service=, addl=, hot=0, history=R]')
1154393347.480662 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=10.3.254.131, orig_p=911/tcp, resp_h=143.183.247.174, resp_p=28191/tcp], orig=[size=0, state=6], resp=[size=0, state=0], start_time=1154393347.48056, duration=0.0, service=, addl=, hot=0, history=R]')
1154393347.743616 /local/bro/policy/bro.init:251	event called: net_done(t = '1154393347.74362')
1154393347.743616 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=7032/tcp, resp_h=10.18.20.236, resp_p=80/tcp], orig=[size=0, state=0], resp=[size=0, state=3], start_time=1154393317.26616, duration=0.0, service=, addl=, hot=0, history=a]')
1154393347.743616 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=28196/tcp, resp_h=10.3.254.131, resp_p=911/tcp], orig=[size=2623, state=4], resp=[size=2522, state=4], start_time=1154393347.47941, duration=0.264206171035767, service=, addl=, hot=0, history=ShADad]')
1154393347.743616 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=7029/tcp, resp_h=10.18.20.236, resp_p=80/tcp], orig=[size=8915, state=4], resp=[size=441245, state=4], start_time=1154393309.96173, duration=8.02717185020447, service=, addl=, hot=0, history=ShADd]')
1154393347.743616 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=10.3.254.131, orig_p=911/tcp, resp_h=143.183.247.174, resp_p=28181/tcp], orig=[size=0, state=3], resp=[size=0, state=0], start_time=1154393297.26167, duration=0.0, service=, addl=, hot=0, history=A]')
1154393347.743616 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=7031/tcp, resp_h=10.18.20.236, resp_p=80/tcp], orig=[size=0, state=0], resp=[size=0, state=3], start_time=1154393317.25091, duration=0.0, service=, addl=, hot=0, history=a]')
1154393347.743616 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=1536/tcp, resp_h=143.183.249.156, resp_p=445/tcp], orig=[size=0, state=3], resp=[size=1, state=3], start_time=1154393304.25443, duration=2.19345092773438e-05, service=, addl=, hot=0, history=dA]')
1154393347.743616 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=14747/tcp, resp_h=192.168.74.50, resp_p=445/tcp], orig=[size=0, state=3], resp=[size=0, state=0], start_time=1154393312.25165, duration=0.0, service=, addl=, hot=0, history=A]')
1154393347.743616 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=20567/tcp, resp_h=143.183.93.145, resp_p=80/tcp], orig=[size=4245, state=4], resp=[size=17176, state=4], start_time=1154393332.92553, duration=9.72245192527771, service=, addl=, hot=0, history=ShADda]')
1154393347.743616 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=20568/tcp, resp_h=143.183.93.145, resp_p=80/tcp], orig=[size=951, state=4], resp=[size=3952, state=4], start_time=1154393339.53645, duration=3.11155009269714, service=, addl=, hot=0, history=ShADda]')
1154393347.743616 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=10.232.10.253, orig_p=3778/tcp, resp_h=143.183.247.174, resp_p=139/tcp], orig=[size=0, state=3], resp=[size=0, state=0], start_time=1154393312.24013, duration=0.0, service=, addl=, hot=0, history=A]')
1154393347.743616 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=7033/tcp, resp_h=10.18.20.236, resp_p=80/tcp], orig=[size=2477, state=4], resp=[size=45169, state=4], start_time=1154393317.38439, duration=1.60171699523926, service=, addl=, hot=0, history=ShADd]')
1154393347.743616 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.227, orig_p=138/udp, resp_h=143.183.247.255, resp_p=138/udp], orig=[size=201, state=1], resp=[size=0, state=0], start_time=1154393342.22207, duration=0.0, service=, addl=, hot=0, history=D]')
1154393347.743616 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.253, orig_p=123/udp, resp_h=255.255.255.255, resp_p=123/udp], orig=[size=48, state=1], resp=[size=0, state=0], start_time=1154393314.27148, duration=0.0, service=, addl=, hot=0, history=D]')
1154393347.743616 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.252, orig_p=123/udp, resp_h=255.255.255.255, resp_p=123/udp], orig=[size=48, state=1], resp=[size=0, state=0], start_time=1154393307.13687, duration=0.0, service=, addl=, hot=0, history=D]')
1154393347.743616 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=1796/udp, resp_h=143.183.12.72, resp_p=53/udp], orig=[size=31, state=1], resp=[size=0, state=0], start_time=1154393327.90552, duration=0.0, service=, addl=, hot=0, history=D]')
1154393347.743616 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=1797/udp, resp_h=143.183.12.72, resp_p=53/udp], orig=[size=93, state=1], resp=[size=378, state=1], start_time=1154393332.92462, duration=9.33905792236328, service=, addl=, hot=0, history=Dd]')
1154393347.743616 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=1797/udp, resp_h=143.183.2.105, resp_p=53/udp], orig=[size=63, state=1], resp=[size=591, state=1], start_time=1154393329.5832, duration=3.34128999710083, service=, addl=, hot=0, history=Dd]')
1154393347.743616 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.200, orig_p=138/udp, resp_h=143.183.247.255, resp_p=138/udp], orig=[size=201, state=1], resp=[size=0, state=0], start_time=1154393305.2836, duration=0.0, service=, addl=, hot=0, history=D]')
1154393347.743616 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.175, orig_p=138/udp, resp_h=143.183.247.255, resp_p=138/udp], orig=[size=201, state=1], resp=[size=0, state=0], start_time=1154393311.48765, duration=0.0, service=, addl=, hot=0, history=D]')
1154393347.743616 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=1795/udp, resp_h=143.183.2.105, resp_p=53/udp], orig=[size=32, state=1], resp=[size=115, state=1], start_time=1154393323.98926, duration=0.592603921890259, service=, addl=, hot=0, history=Dd]')
1154393347.743616 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=123/udp, resp_h=143.183.2.48, resp_p=123/udp], orig=[size=48, state=1], resp=[size=48, state=1], start_time=1154393343.71241, duration=0.00535297393798828, service=, addl=, hot=0, history=Dd]')
1154393347.743616 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.111, orig_p=2150/udp, resp_h=255.255.255.255, resp_p=1211/udp], orig=[size=270, state=1], resp=[size=0, state=0], start_time=1154393302.90632, duration=40.2833030223846, service=, addl=, hot=0, history=D]')
1154393347.743616 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=1794/udp, resp_h=143.183.12.72, resp_p=53/udp], orig=[size=223, state=1], resp=[size=1296, state=1], start_time=1154393290.78435, duration=28.204824924469, service=, addl=, hot=0, history=Dd]')
1154393347.743616 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.174, orig_p=1795/udp, resp_h=143.183.12.72, resp_p=53/udp], orig=[size=32, state=1], resp=[size=0, state=0], start_time=1154393324.58206, duration=0.0, service=, addl=, hot=0, history=D]')
1154393347.743616 /local/bro/policy/http.bro:233	event called: connection_state_remove(c = '[id=[orig_h=143.183.247.186, orig_p=138/udp, resp_h=143.183.247.255, resp_p=138/udp], orig=[size=201, state=1], resp=[size=0, state=0], start_time=1154393305.40284, duration=0.0, service=, addl=, hot=0, history=D]')
1154393347.743616 /local/bro/policy/notice.bro:143	event called: bro_done()
-------------- next part --------------
A non-text attachment was scrubbed...
Name: conn.log
Type: text/x-log
Size: 3970 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20060802/823e9ee5/attachment.bin 


More information about the Bro mailing list