[Bro] http-<x> and empty http.log
rporada at ll.mit.edu
Thu Sep 27 11:20:12 PDT 2007
On Sep 27, 2007, at 12:46 PM, Robin Sommer wrote:
> On Thu, Sep 27, 2007 at 10:50 -0400, Reed Porada wrote:
>> In trying to get the contents of http sessions, I have run http-
>> body.bro against a pcap, and there is not output to http.log. This
>> is the same with most http-<x> scripts, except http-reply.
> The HTTP scripts are a bit different from other analyzers in the
> sense that they are "incremental", i.e., you typically need to load
> more than one depending on which parts of the HTTP sessions you want
> to analyze.
> The minimum is http-request.bro which analyzes client-side requests.
> You can add http-reply.bro to also see the response code of the
> servers. Then you can further add, e.g., http-body.bro, to get the
> session payload and/or http-header.bro to see all HTTP headers.
> So, in your case, this should do the trick:
> bro -r trace http-request http-reply http-body
> Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
> LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org
That worked. Thanks.
More information about the Bro