[Bro] question about bro alarm log
Nicholas Weaver
nweaver at ICSI.Berkeley.EDU
Wed Oct 3 11:20:48 PDT 2007
On Thu, Oct 04, 2007 at 01:07:41AM +0800, mel composed:
> Hi,
>
> I've noticed that for HTTP_SensitiveURI, there are at least two
> different types of log entries:
>
> t=1190249317.414519 no=HTTP_SensitiveURI na=NOTICE_ALARM_ALWAYS
> sa=60.50.247.122 sp=37248/tcp da=58.215.65.113 dp=8000/tcp method=GET
> url=/announce?peer_id=-KT2100-359018798262&port=6881&uploaded=0&downloaded=0&left=33554432&compact=1&numwant=100&key=1458894583&event=started&info_hash=\xd0\x9c;\xd8\xe6z/V\xe8\x89\x9c^K\xc3\xe0?pL\x1b\xaef
> num=302 msg=60.50.247.122/37248\ >\ 58.215.65.113/8000\ %12:\ GET\
> /announce?peer_id=-KT2100-359018798262&port=6881&uploaded=0&downloaded=0&left=33554432&compact=1&numwant=100&key=1458894583&event=started&info_hash=\\xd0\\x9c;\\xd8\\xe6z/V\\xe8\\x89\\x9c^K\\xc3\\xe0?pL\\x1b\\xaef\
> (302\ "Found"\ [0]\ btfans.3322.org:8000) tag=@274
>
> and
>
> t=1190253817.786857 no=HTTP_SensitiveURI na=NOTICE_ALARM_ALWAYS
> sa=211.25.195.202 sp=46862/tcp da=60.50.247.122 dp=81/tcp method=GET
> url=/mro/favicon.ico num=404 msg=211.25.195.202/46862\ >\
> 60.50.247.88/81\ %13\ @290:\ GET\ /mro/favicon.ico\ (404\ "Not\ Found"\
> [279]\ whatever.zapto.org:81) tag=@290
>
> In the first line, inside msg:
>
> 60.50.247.122/37248\ >\ 58.215.65.113/8000\ %12:
>
> while the second one:
>
> 211.25.195.202/46862\ >\ 60.50.247.88/81\ %13\ @290:
>
> Why the difference?
Beacuse NOTICE([HTTP_SensitiveURI]) occurs in three segments of the code:
http.bro, http-repquest, and http-reply, and it is used in
http.bro:
$msg=fmt("%s:%d -> %s:%d %s: <no reply>",
session$orig_h, session$orig_p,
session$resp_h, session$resp_p, id),
http-request.bro:
$msg=fmt("%s %s: %s %s",
id_string(c$id), c$addl, method, URI),
http-reply.bro:
$msg = fmt("%s %s: %s",
id_string(c$id), c$addl, req_rep),
--
Nicholas C. Weaver nweaver at icsi.berkeley.edu
This message has been ROT-13 encrypted twice for higher security.
More information about the Bro
mailing list