[Bro-Dev] #1022: HTTP bogus events

Bro Tracker bro at tracker.bro.org
Mon Jun 10 12:04:12 PDT 2013

#1022: HTTP bogus events
 Reporter:  thorkill  |       Type:  Problem
   Status:  new       |   Priority:  High
Milestone:  Bro2.2    |  Component:  Bro
  Version:  2.1       |   Keywords:  http
 I am using attached script to watch for suspected activity in http-
 connections. This happens a lot in our network:

 >  2013-06-10-16:32:00 HTTP::HTTP_strange_event 87.139.xxx.2xx:3916/tcp ->
 xx.xx.xx.xx:80/tcp (uid ngRQOFjBgsg)
   unknown_HTTP_method={Accept: text/*} (0 missed bytes)
   # 87.139.xxx.2xx = p57xxx4xx.dip0.t-ipconnect.de  xx.xx.xx.xx = <???>

 I can not find out what the problem is. httpd logs tell me that everything
 was just fine.
 In most cases it happens after some POST request but not all the time.

 I will provide a pcap if I catch it somehow.

Ticket URL: <http://tracker.bro.org/bro/ticket/1022>
Bro Tracker <http://tracker.bro.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list