[Bro] Bro Not Extracting Host Fields from HTTP Traffic

Azoff, Justin S jazoff at illinois.edu
Tue Jul 12 08:24:11 PDT 2016

It looks like it is missing the entire request.  It's not missing the host field, it's missing every single field from the client request.

method,host,uri,referrer,user_agent,request_body_len are all missing.

Are you running bro on the machine making the outbound connections?  I'm guessing that is your desktop machine.

If you look inside your reporter.log, is there a warning about tcp checksums?

- Justin Azoff

> On Jul 12, 2016, at 11:16 AM, Arash Fallah <af7 at umbc.edu> wrote:
> I'm having an issue where Bro is not extracting the host field correctly from captured HTTP traffic (in the form of a PCAP). I've verified it has nothing to do with split-routing. I also manually examined the PCAP file using Wireshark and found the host field to be present in all instances. I am a bit puzzled. This is significant for our use case because we will be using Bro to monitor for malicious URLs and the like.
> I have my http.log, weird.log, and the PCAP file itself. Unfortunately, I cannot attach the PCAP due to its size and the mail list rejecting the message. Please reply and I will send the PCAP individually.
> Any advice is appreciated.
> <http.log><weird.log>_______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list