[Bro] Trying to extract HTTP payload

Seth Hall seth at icir.org
Tue Sep 18 10:53:53 PDT 2012


On Sep 18, 2012, at 1:43 PM, Doug Burks <doug.burks at gmail.com> wrote:

> The blank fields in http.log could be the result of checksum offloading:
> http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html
> Doug


Hah!  Good catch Doug.  Ironically, the file extraction as he's doing it will still work fine.

Abhishek, you can have Bro ignore checksums with the -C command line argument, but you definitely do not want to run Bro in production with that argument because it opens the door to easy evasions.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/





More information about the Bro mailing list