[Bro] How to get anything into c$service
Christian Kreibich
christian at whoop.org
Sun Sep 23 22:51:53 PDT 2007
On Sat, 2007-09-22 at 11:23 -0700, Robin Sommer wrote:
> The crucial point is that you need to have some analyzer running
> which takes the decision. Assuming dpd_conn_logs=T, I get for
> example service={HTTP} for HTTP sessions once I load http-request.
Thanks! Mhmm ... I don't quite see this. When I use
@load conn
@load http-request
redef dpd_conn_logs = T;
then I no longer seem to get connection_finished events(!), despite
seeing the teardown on the wire. I do however see
connection_state_remove, but without anything in c$service. When I use
@load conn
@load dpd
redef dpd_conn_logs = T;
all is well: I get both connection_finished and connection_state_remove,
and both carry HTTP in c$service (since in that case the capture filter
ends up being "tcp or udp or icmp").
Cheers,
Christian
--
________________________________________________________________________
http://www.icir.org/christian
http://www.whoop.org
More information about the Bro
mailing list