[Bro] New to Bro... Question about recording HTTP User Agents

Vern Paxson vern at icir.org
Sun Dec 13 16:04:56 PST 2009

> bro -r "favorite pcap file" http
> to make sure I now what gets recorded in the logs with some of the default policy files.  I notice that conn.log gets built just fine when I run the above but I don't seem to get anything in http.log

The HTTP processing is split into a bunch of files because there can be
significant performance implications for each type of analysis that you
activate.  http.bro is a base script and doesn't activate any logging.
http-request.bro logs requests, but not replies; http-reply.bro logs
both requests and replies.  http-header.bro logs headers in requests
and replies, and http-body.bro extracts the items transfered, logging
the first HTTP::content_truncation_limit bytes (default 40).


More information about the Bro mailing list