[Bro] HTTP not being seen

Liam Randall liam at broala.com
Fri Sep 13 12:31:18 PDT 2013


Let's enable your capture loss and see what happens:

Add the following to your local.bro; on security onion it will be located
at /opt/bro/share/bro/site/

# count the ACKs, tell me the # and % I am missing
@load misc/capture-loss.bro

# By default capture-loss reports every 15 minutes, let's turn it up
redef CaptureLoss::watch_interval = 1 min;


Give it a couple of minutes and see what the log says under:

/nsm/bro/logs/capture_loss.log

You will see per worker statistics written every minute.

Let us know.

Thanks,

Liam Randall




On Fri, Sep 13, 2013 at 2:45 PM, Doug Burks <doug.burks at gmail.com> wrote:

> Hi James,
>
> Is it possible you're seeing the effects of NIC offloading features?
>
> http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html
>
> On Fri, Sep 13, 2013 at 2:12 PM, James Lay <jlay at slave-tothe-box.net>
> wrote:
> > Hey all,
> >
> > Topic says it...it's very strange..new install on a different box..I
> > see the below:
> >
> > [12:08:56 gateway:~/current$] ls -l
> > total 64
> > -rw-r--r-- 1 root root  3914 Sep 13 12:08 communication.log
> > -rw-r--r-- 1 root root  4082 Sep 13 12:08 conn.log
> > -rw-r--r-- 1 root root 12521 Sep 13 12:08 dns.log
> > -rw-r--r-- 1 root root   396 Sep 13 12:08 dpd.log
> > -rw-r--r-- 1 root root  8691 Sep 13 12:05 loaded_scripts.log
> > -rw-r--r-- 1 root root  1101 Sep 13 12:05 notice_policy.log
> > -rw-r--r-- 1 root root   224 Sep 13 12:05 packet_filter.log
> > -rw-r--r-- 1 root root   699 Sep 13 12:08 ssl.log
> > -rw-r--r-- 1 root root    46 Sep 13 12:05 stderr.log
> > -rw-r--r-- 1 root root    30 Sep 13 12:05 stdout.log
> > -rw-r--r-- 1 root root   717 Sep 13 12:07 weird.log
> >
> > I even see:
> >
> > 2013-09-13T12:05:46-0600        8GxbB0zXe0g     x.x.x.x    53547
> > 74.125.129.99   80      tcp     -       -       -       -       OTH
> > F       0       C       0       0       0       0       (empty)
> >
> > 2013-09-13T12:05:46-0600        HQym3XmcURj     x.x.x.x    36086
> > 205.171.2.25    53      udp     59556   www.google.com  1
> > C_INTERNET      1       A       0       NOERROR F       F       T
> > T       0
> >
> 74.125.129.99,74.125.129.104,74.125.129.105,74.125.129.147,74.125.129.103,74.125.129.106
> >   297.000000,297.000000,297.000000,297.000000,297.000000,297.000000
> >
> > loaded_scripts.log shows:
> >
> > [12:10:26 gateway:~/current$] grep http loaded_scripts.log
> >    /usr/local/bro/share/bro/base/protocols/http/__load__.bro
> >      /usr/local/bro/share/bro/base/protocols/http/./main.bro
> >      /usr/local/bro/share/bro/base/protocols/http/./utils.bro
> >      /usr/local/bro/share/bro/base/protocols/http/./file-ident.bro
> >      /usr/local/bro/share/bro/base/protocols/http/./file-hash.bro
> >      /usr/local/bro/share/bro/base/protocols/http/./file-extract.bro
> >    /usr/local/bro/share/bro/policy/protocols/http/software.bro
> >    /usr/local/bro/share/bro/policy/protocols/http/detect-MHR.bro
> >
> > But http.log is still not created.  Anything I'm missing here or
> > something I can do to troubleshoot on this end?  This is running on
> > ppp0.  Thank you.
> >
> > James
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
> --
> Doug Burks
> http://securityonion.blogspot.com
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



-- 
Liam Randall
Managing Partner
510-281-0760
www.Broala.com <http://www.broala.com/>
>From the creators of Bro <http://www.bro.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130913/55d828ca/attachment.html 


More information about the Bro mailing list