[Bro-Dev] #1022: HTTP bogus events
Bro Tracker
bro at tracker.bro.org
Mon Jun 10 12:04:12 PDT 2013
#1022: HTTP bogus events
----------------------+---------------------
Reporter: thorkill | Type: Problem
Status: new | Priority: High
Milestone: Bro2.2 | Component: Bro
Version: 2.1 | Keywords: http
----------------------+---------------------
I am using attached script to watch for suspected activity in http-
connections. This happens a lot in our network:
> 2013-06-10-16:32:00 HTTP::HTTP_strange_event 87.139.xxx.2xx:3916/tcp ->
xx.xx.xx.xx:80/tcp (uid ngRQOFjBgsg)
unknown_HTTP_method={Accept: text/*} (0 missed bytes)
# 87.139.xxx.2xx = p57xxx4xx.dip0.t-ipconnect.de xx.xx.xx.xx = <???>
I can not find out what the problem is. httpd logs tell me that everything
was just fine.
In most cases it happens after some POST request but not all the time.
I will provide a pcap if I catch it somehow.
--
Ticket URL: <http://tracker.bro.org/bro/ticket/1022>
Bro Tracker <http://tracker.bro.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list