[Bro-Dev] [JIRA] (BIT-809) HTTP file extraction not correct
Seth Hall (JIRA)
jira at bro-tracker.atlassian.net
Fri Sep 4 06:16:00 PDT 2015
[ https://bro-tracker.atlassian.net/browse/BIT-809?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Seth Hall updated BIT-809:
--------------------------
Resolution: Fixed
Status: Closed (was: Open)
I just tested and this bug no longer exists in Bro. There was a lot of work done on internal file handling for the 2.4 release.
> HTTP file extraction not correct
> --------------------------------
>
> Key: BIT-809
> URL: https://bro-tracker.atlassian.net/browse/BIT-809
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.0
> Reporter: dalton
> Labels: HTTP
>
> I'm trying to use BRO to look at some pipelined HTTP traffic. I'm asking for file extraction but one of the extracted files is the wrong size. In the attached pcap, packet BIT-225 shows the content length as 41931. In the http.log file, I see this:
>
> 1312412117.323323 d8RHszXqnfi 192.168.123.105 37621 74.208.60.21 80 7 GET crev.info /images/interface/resources.png http://crev.info/ Mozilla/5.0 (Linux; U; Android 2.2.1; en-us; HTC Dream Build/FRG83) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 0 *41931* 200 OK \\- \\- \\- (empty) \\- \\- \\- image/png \\- http-item_192.168.123.105:37621-74.208.60.21:80_resp_7.dat
> 1312412117.710518 d8RHszXqnfi 192.168.123.105 37621 74.208.60.21 80 8 GET crev.info /images/interface/navbar_li.png http://crev.info/ Mozilla/5.0 (Linux; U; Android 2.2.1; en-us; HTC Dream Build/FRG83) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 0 928 200 OK \\- \\- \\- (empty) \\- \\- \\- application/octet-stream \\- http-item_192.168.123.105:37621-74.208.60.21:80_resp_7.dat
>
> output dir listing:
> \---\-
> \-rw-r--r-\- 1 dporter dporter 1150 2012-04-10 21:59 http-item_192.168.123.105:37621-74.208.60.21:80_resp_10.dat
> \-rw-r--r-\- 1 dporter dporter 60901 2012-04-10 21:59 http-item_192.168.123.105:37621-74.208.60.21:80_resp_1.dat
> \-rw-r--r-\- 1 dporter dporter 72217 2012-04-10 21:59 http-item_192.168.123.105:37621-74.208.60.21:80_resp_2.dat
> \-rw-r--r-\- 1 dporter dporter 330 2012-04-10 21:59 http-item_192.168.123.105:37621-74.208.60.21:80_resp_3.dat
> \-rw-r--r-\- 1 dporter dporter 851 2012-04-10 21:59 http-item_192.168.123.105:37621-74.208.60.21:80_resp_4.dat
> \-rw-r--r-\- 1 dporter dporter 716 2012-04-10 21:59 http-item_192.168.123.105:37621-74.208.60.21:80_resp_5.dat
> \-rw-r--r-\- 1 dporter dporter 3408 2012-04-10 21:59 http-item_192.168.123.105:37621-74.208.60.21:80_resp_6.dat
> \-rw-r--r-\- 1 dporter dporter *32931* 2012-04-10 21:59 http-item_192.168.123.105:37621-74.208.60.21:80_resp_7.dat
> \-rw-r--r-\- 1 dporter dporter 771040 2012-04-10 21:59 http-item_192.168.123.105:37621-74.208.60.21:80_resp_9.dat
> \---\-
>
>
> The content length is correct in http.log, but the output file (..._resp_7) has length 32931.
> Also, why does http.log indicate that both resources.png AND navbar_li.png are both written to resp_7.dat ?
>
> The results from xplico and wireshark when run on this pcap file look correct to me.
--
This message was sent by Atlassian JIRA
(v7.0.0-OD-02-259#70102)
More information about the bro-dev
mailing list