[Bro] Trying to extract HTTP payload
Doug Burks
doug.burks at gmail.com
Tue Sep 18 10:43:30 PDT 2012
The blank fields in http.log could be the result of checksum offloading:
http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html
Doug
On Tue, Sep 18, 2012 at 1:23 PM, Abhishek Chanda
<abhishek.lists at gmail.com> wrote:
> Hi,
>
> It still does not seem to work, there is nothing in the current
> directory. Here is an entry from http.log
>
> 1347988766.291078 t3VZX9hEzl7 192.168.10.185 48299 184.172.154.91 80 0 - - - - - 0 1131 200 OK - - - (empty) - - - image/jpeg - -
>
> There are similar entries which do not have a file name.
>
> Thanks
>
> On Tue, Sep 18, 2012 at 10:14 AM, Seth Hall <seth at icir.org> wrote:
>>
>> On Sep 18, 2012, at 1:08 PM, Abhishek Chanda <abhishek.lists at gmail.com> wrote:
>>
>>> sudo ./bro -i eth0 "HTTP::extract_file_types=/.jpg/"
>>
>>
>> sudo ./bro -i eth0 "HTTP::extract_file_types=/.*\.jpg/"
>>
>> .Seth
>>
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro-ids.org/
>>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Doug Burks
http://securityonion.blogspot.com
More information about the Bro
mailing list