[Bro] HTTP responses details are missing

Seth Hall seth at corelight.com
Tue Nov 14 10:49:30 PST 2017


It's most likely that you have had offloaded checksums when you captures 
the PCAP.  More information here:
	https://www.bro.org/documentation/faq.html#why-isn-t-bro-producing-the-logs-i-expect-a-note-about-checksums

   .Seth

On 14 Nov 2017, at 13:09, BortolameottiR wrote:

> Dear all,
>
> I have a simple question. When I run bro against a .pcap file, it
> happens that some log lines do not show any detail regarding the
> response e.g., response_body_len, status_msg, status_code, resp_fuids
> etc. Is it a problem of the HTTP analyzer?
>
> I am currently trying to extract all the text/files of all responses,
> however it seems that some connections responses are not parsed by the
> HTTP analyzer.
>
> I tried to extract the files (following the scripts below), however 
> also
> in these settings some "files" where missing. In my case I am talking
> about .css / .html / .js in the response content.
>
> -
> https://www.bro.org/sphinx/scripts/policy/frameworks/files/extract-all-files.bro.html
>
> - https://www.bro.org/sphinx-git/httpmonitor/index.html (at the 
> bottom)
>
> When you look in conn.log, the same connection (according to the id)
> shows the amount of bytes of the response. If you inspect the file 
> using
> Wireshark you can also see that there was a response. 
>
> Any idea on what could be the issue?
>
> I can even share the .pcap if needed.
>
> Best,
>
> R.
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

--
Seth Hall * Corelight, Inc * www.corelight.com



More information about the Bro mailing list