[Bro] What goes into http_log?
jswan at sugf.com
Wed Aug 7 10:24:25 PDT 2013
It records everything detected as HTTP. Here's a sample showing a bunch of ports detected as HTTP:
me at so1204:/nsm/bro/logs/current$ bro-cut id.resp_p < http_eth1.log | sort -u
For the second part I think the right way would be to search conn.log for tcp/443, then "grep -v ssl" on the results. But I'm not sure.
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Chris Doman
Sent: Wednesday, August 07, 2013 4:16 AM
To: bro at bro.org
Subject: [Bro] What goes into http_log?
Does anyone know if http_log records everything from port 80, or anything detected as the HTTP protocol etc?
I'm asking as I would like to detect software that communicates over port 80 or 8080 but that isn't infact using HTTP (some beaconing malware for example communicates over port 80).
And similarly it would be very useful to be able to detect non SSL over port 443. I'm thinking that checking for ssl.log where cipher="-" might be a good idea, if ssl.log records everything over port 443.
Apologies if this has been answered before, I couldn't find the answer from a quick google and code check.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro