trace and scripts Re: [Bro] http_request event
bchen at cs.ucf.edu
bchen at cs.ucf.edu
Sun Jun 19 20:27:19 PDT 2005
Hi Ruoming,
Thank you for your reply. It turns out it is a checksum problem.
Please refer
to my description in my lastest email to Vern and this list. Does Bro filters
out or ignore all bad checksum packets?
Bing
Quoting Ruoming Pang <rpang at CS.Princeton.EDU>:
> Hi, Bing,
>
> Could you capture a piece of trace using 'tcpdump -w' (using '-s
> 5000' to make sure complete packets are capture) and run bro over the
> trace (with -r)? And if it doesn't work, please send us the trace and
> policy scripts you modified. It will help us understand what the
> problem is. Thanks!
>
> Ruoming
>
> On Jun 19, 2005, at 10:05 PM, bchen at cs.ucf.edu wrote:
>
>> Hi Vern,
>> Thank you for your reply. I have actually loaded all http-related
>> .bro files,
>> including http, http-request, http-reply, http-body, etc. I load
>> them in mt.bro
>> and run Bro: ./bro -i eth0 mt. I then access a web server from the
>> same machine
>> where Bro is running. http-request and http-reply event handlers
>> have never been
>> called. Please be noted that I am doing these experiments in a close
>> environment, a small LAN, which is connected together with a hub and
>> disconnected from Internet. There are no DNS servers and Gateway here. The
>> Communicatin is basically point-to-point. Is this environment affecting the
>> functionality of the http analyzer?
>>
>> thanks
>>
>> Bing
>>
>>
>>
>> Quoting Vern Paxson <vern at icir.org>:
>>
>>> What exactly are you doing in your script? Note that "@load http" won't
>>> do it - you need "@load http-request" or "@load http-reply" to get
>>> request/replies, respectively.
>>>
>>> Vern
>>>
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
More information about the Bro
mailing list