[Bro] Trying to extract HTTP payload

Abhishek Chanda abhishek.lists at gmail.com
Tue Sep 18 11:27:40 PDT 2012

Hi Seth and Doug,

Thanks for the replies.
I still could not get Bro to work though. I am trying to save a gif
file since I thought this would cause less confusion with the file
MIME and extension. I disabled TCP checksum offloading as Doug
suggested. I ran Bro as:

sudo ./bro -C -i eth1 "HTTP::extract_file_types=/.*\.gif/"

I then pointed my browser to a gif image. The entry for the image
appears in http.log but the image does not get saved. I am sure that
the interface is correct. What else can go wrong?


On Tue, Sep 18, 2012 at 10:53 AM, Seth Hall <seth at icir.org> wrote:
> On Sep 18, 2012, at 1:43 PM, Doug Burks <doug.burks at gmail.com> wrote:
>> The blank fields in http.log could be the result of checksum offloading:
>> http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html
>> Doug
> Hah!  Good catch Doug.  Ironically, the file extraction as he's doing it will still work fine.
> Abhishek, you can have Bro ignore checksums with the -C command line argument, but you definitely do not want to run Bro in production with that argument because it opens the door to easy evasions.
>   .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/

More information about the Bro mailing list