[Bro] http analyzer

Greg Kosinovsky kosinovsky1 at llnl.gov
Mon Aug 3 17:50:12 PDT 2009 

Hi.

I am trying to run bro with http.bro policy file against a pcap file. 
I get an empty http.log file. However, conn.log contains plenty of 
http records. All I am trying to get is a summary of http 
transactions (as summerized in the "http analyzer" section of the 
manual). Am I using the wrong policy file?
The conn.log content is as follows, Thank you:

1248823461.379857 0.000522 134.9.214.98 198.128.246.10 https 59371 
443 tcp 0 0 SF X
1248823461.380007 0.001128 134.9.214.98 74.125.19.103 http 59373 80 
tcp 0 0 SF X
1248823461.380081 0.001055 134.9.214.98 74.125.19.103 http 59374 80 
tcp 0 0 SF X
1248823461.380165 0.001008 134.9.214.98 74.125.19.139 http 59375 80 
tcp 0 0 SF X
1248823470.597261 18.050017 134.9.214.98 198.128.246.160 https 59380 
443 tcp 1075 39610 SF X
1248823470.597119 18.050392 134.9.214.98 198.128.246.160 https 59379 
443 tcp 1075 36721 SF X
1248823457.013757 68.607945 134.9.214.30 255.255.255.255 ntp 1230 123 
udp 240 ? S0 X [5/0]
1248823458.148163 68.386845 134.9.216.231 255.255.255.255 ntp 1230 
123 udp 240 ? S0 X [5/0]
1248823469.374292 51.287737 134.9.214.232 255.255.255.255 ntp 1230 
123 udp 192 ? S0 X [4/0]
1248823465.334545 ? 134.9.214.98 198.128.246.160 http 59377 80 tcp ? ? S1 X
1248823521.726360 ? 134.9.214.98 208.117.252.89 http 59395 80 tcp ? ? S1 X
1248823492.193498 15.026019 134.9.214.98 198.128.249.4 http 59383 80 
tcp 1085 61616 S3 X
1248823492.193864 15.025624 134.9.214.98 198.128.249.4 http 59384 80 
tcp 1034 8008 S3 X
1248823501.794443 ? 134.9.214.98 74.125.19.100 http 59387 80 tcp ? ? S1 X
1248823498.532173 ? 134.9.214.98 74.125.19.103 http 59385 80 tcp ? ? S1 X
1248823504.582292 ? 134.9.214.98 216.34.181.60 http 59392 80 tcp ? ? S1 X
1248823498.617937 ? 134.9.214.98 74.125.19.139 http 59386 80 tcp ? ? S1 X
1248823504.575446 ? 134.9.214.98 209.87.252.214 http 59391 80 tcp ? ? S1 X
1248823504.574710 ? 134.9.214.98 209.87.252.214 http 59389 80 tcp ? ? S1 X
1248823504.575088 ? 134.9.214.98 209.87.252.214 http 59390 80 tcp ? ? S1 X
1248823528.360665 0.000069 134.9.214.98 128.115.3.5 other 59368 3268 
tcp 0 0 SF X
1248823492.186376 15.032956 134.9.214.98 198.128.249.4 http 59382 80 
tcp 1398 19752 S3 X
1248823504.390518 ? 134.9.214.98 209.87.252.214 http 59388 80 tcp ? ? S1 X
1248823512.268070 ? 134.9.214.98 138.23.169.15 http 59393 80 tcp ? ? S1 X
1248823521.660641 ? 134.9.214.98 74.125.19.138 http 59394 80 tcp ? ? S1 X
1248823465.442010 ? 134.9.214.98 198.128.246.160 https 59378 443 tcp ? ? S1 X
1248823491.675365 15.613805 134.9.214.98 198.128.249.4 http 59381 80 
tcp 2093 19369 S3 X


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20090803/1635428f/attachment.html

More information about the Bro mailing list