[Bro] http.log event
Ioannis WiCom
iduckhd at hotmail.com
Sat Feb 18 09:38:21 PST 2012
I have enabled the conn.log and http.log in Bro.
I am seeing TCP events in dst_port==80 that do not generate events for http.log.
No Event in HTTP: http 2120 80 tcp 368 1414142 SF X
Event %1 in HTTP: http 59637 80 tcp 1495 1244 SF X %1
The SF flag indicates Normal Establishment and Termination. Why would Bro record one event in http.log, and not the other one?
Note that both of them are actual HTTP traffic.
Another example:
No event in HTTP: http 49971 80 tcp 0 924818 SH X
I am guessing in the last one, since there are 0 bytes from the originator, it would not generate an event for http.log.
My question is more general: In which occasions of dst_port==80, an http.log event is being recorded?
thank you,
Yannis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120218/243aa1f7/attachment.html
More information about the Bro
mailing list