[Bro] Question about HTTP policy capture filters
Vern Paxson
vern at icir.org
Thu Jun 23 22:14:22 PDT 2005
> I am trying to get bro (9a8) to capture http events that are not coming
> over port 80/tcp as well as several other ports.
The only way to do this currently is to modify Sessions.cc to add the other
ports of interest (search on "80" to see where the additions are needed).
You'll also need to change the capture filter in http-request.bro (or make
your own version that adds the port to capture_filters - that's cleaner).
> http-request.bro:
> "not tcp dst port 80 and not tcp dst port 8080"
>
> However, bro seems to be only reading one filter and not the second part
> of filter.
This is strange - Sessions.cc already treats 8080 (and 8000 and 3128) the
same as 80. Can you provide a trace that exhibits the problem?
Vern
More information about the Bro
mailing list