[Bro] http.log missing info

Tyler tyler at hudakville.com
Mon Feb 13 13:02:00 PST 2012

Hello all,

  Forgive my question if its basic, but I was not able to find the
answer I was looking for in the docs, FAQ or mailing list archive.

  I just set up bro and am having it just run locally so I can work
with it. I noticed that my http.log file is not recording all the
information for HTTP sessions. It records the connection info (src,
dst, ports) the status_code and msg and thats it. Anything beyond
that, like the uri, host, UA are missing.

  I also noticed that the request body lengths are set to 0. My
conn.log shows the same (request lengths are set to 0). To me this
means that its not seeing the requests go out. I have verified this is
happening with both live analysis and through a recorded pcap which
does contain the requests.

 Oddly, if I dl the http.pcap from the second exercise from the 2011
Bro workshop, it does work correctly.

 Is there a config option that I did not set correctly? I have
verified that my networks.cfg is set up correctly and have not
modified any other settings.


More information about the Bro mailing list