[Bro-Dev] [JIRA] (BIT-1022) HTTP bogus events
Seth Hall (JIRA)
jira at bro-tracker.atlassian.net
Fri Nov 8 12:08:31 PST 2013
[ https://bro-tracker.atlassian.net/browse/BIT-1022?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Seth Hall updated BIT-1022:
---------------------------
Resolution: Fixed
Status: Closed (was: Open)
Closing since no traffic was ever provided.
> HTTP bogus events
> -----------------
>
> Key: BIT-1022
> URL: https://bro-tracker.atlassian.net/browse/BIT-1022
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.1
> Reporter: thorkill
> Priority: High
> Labels: http
> Fix For: 2.2
>
> Attachments: local-http.bro
>
>
> I am using attached script to watch for suspected activity in http-connections. This happens a lot in our network:
> > 2013-06-10-16:32:00 HTTP::HTTP_strange_event 87.139.xxx.2xx:3916/tcp \-> xx.xx.xx.xx:80/tcp (uid ngRQOFjBgsg)
> bq. unknown_HTTP_method=\{Accept: text/*} (0 missed bytes)
> bq. # 87.139.xxx.2xx = p57xxx4xx.dip0.t-ipconnect.de xx.xx.xx.xx = <???>
> I can not find out what the problem is. httpd logs tell me that everything was just fine.
> In most cases it happens after some POST request but not all the time.
> I will provide a pcap if I catch it somehow.
--
This message was sent by Atlassian JIRA
(v6.2-OD-01#6204)
More information about the bro-dev
mailing list