[Bro] New to Bro... Question about recording HTTP User Agents
vern at icir.org
Sun Dec 13 16:04:56 PST 2009
> bro -r "favorite pcap file" http
> to make sure I now what gets recorded in the logs with some of the default policy files. I notice that conn.log gets built just fine when I run the above but I don't seem to get anything in http.log
The HTTP processing is split into a bunch of files because there can be
significant performance implications for each type of analysis that you
activate. http.bro is a base script and doesn't activate any logging.
http-request.bro logs requests, but not replies; http-reply.bro logs
both requests and replies. http-header.bro logs headers in requests
and replies, and http-body.bro extracts the items transfered, logging
the first HTTP::content_truncation_limit bytes (default 40).
More information about the Bro