[Bro] Question about HTTP policy capture filters
Aashish Sharma
aashish at uiuc.edu
Thu Jun 23 23:43:59 PDT 2005
Redefining capture_filters for (alternate) http in the site policy file should solve the problem.
I think there is http-request as well as http-reply settings to be done (like in case of squid cache proxy via port 3128)
redef capture_filters += {
["http-request"] = "tcp dst port 3128",
};
redef capture_filters += {
["http-reply"] = "tcp src port 3128",
};
Aashish
On Thu, Jun 23, 2005 at 10:14:22PM -0700, Vern Paxson wrote:
> > I am trying to get bro (9a8) to capture http events that are not coming
> > over port 80/tcp as well as several other ports.
>
> The only way to do this currently is to modify Sessions.cc to add the other
> ports of interest (search on "80" to see where the additions are needed).
> You'll also need to change the capture filter in http-request.bro (or make
> your own version that adds the port to capture_filters - that's cleaner).
>
> > http-request.bro:
> > "not tcp dst port 80 and not tcp dst port 8080"
> >
> > However, bro seems to be only reading one filter and not the second part
> > of filter.
>
> This is strange - Sessions.cc already treats 8080 (and 8000 and 3128) the
> same as 80. Can you provide a trace that exhibits the problem?
>
> Vern
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list