trace and scripts Re: [Bro] http_request event
Ruoming Pang
rpang at cs.princeton.edu
Sun Jun 19 19:24:09 PDT 2005
Hi, Bing,
Could you capture a piece of trace using 'tcpdump -w' (using '-s 5000'
to make sure complete packets are capture) and run bro over the trace
(with -r)? And if it doesn't work, please send us the trace and policy
scripts you modified. It will help us understand what the problem is.
Thanks!
Ruoming
On Jun 19, 2005, at 10:05 PM, bchen at cs.ucf.edu wrote:
> Hi Vern,
> Thank you for your reply. I have actually loaded all http-related
> .bro files,
> including http, http-request, http-reply, http-body, etc. I load them
> in mt.bro
> and run Bro: ./bro -i eth0 mt. I then access a web server from the
> same machine
> where Bro is running. http-request and http-reply event handlers have
> never been
> called. Please be noted that I am doing these experiments in a close
> environment, a small LAN, which is connected together with a hub and
> disconnected from Internet. There are no DNS servers and Gateway here.
> The
> Communicatin is basically point-to-point. Is this environment
> affecting the
> functionality of the http analyzer?
>
> thanks
>
> Bing
>
>
>
> Quoting Vern Paxson <vern at icir.org>:
>
>> What exactly are you doing in your script? Note that "@load http"
>> won't
>> do it - you need "@load http-request" or "@load http-reply" to get
>> request/replies, respectively.
>>
>> Vern
>>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list