[Bro] Bro Not Extracting Host Fields from HTTP Traffic
Azoff, Justin S
jazoff at illinois.edu
Tue Jul 12 08:24:11 PDT 2016
It looks like it is missing the entire request. It's not missing the host field, it's missing every single field from the client request.
method,host,uri,referrer,user_agent,request_body_len are all missing.
Are you running bro on the machine making the outbound connections? I'm guessing that 220.127.116.11 is your desktop machine.
If you look inside your reporter.log, is there a warning about tcp checksums?
- Justin Azoff
> On Jul 12, 2016, at 11:16 AM, Arash Fallah <af7 at umbc.edu> wrote:
> I'm having an issue where Bro is not extracting the host field correctly from captured HTTP traffic (in the form of a PCAP). I've verified it has nothing to do with split-routing. I also manually examined the PCAP file using Wireshark and found the host field to be present in all instances. I am a bit puzzled. This is significant for our use case because we will be using Bro to monitor for malicious URLs and the like.
> I have my http.log, weird.log, and the PCAP file itself. Unfortunately, I cannot attach the PCAP due to its size and the mail list rejecting the message. Please reply and I will send the PCAP individually.
> Any advice is appreciated.
> Bro mailing list
> bro at bro-ids.org
More information about the Bro