[Bro] Trying to extract HTTP payload
Abhishek Chanda
abhishek.lists at gmail.com
Tue Sep 18 11:27:40 PDT 2012
Hi Seth and Doug,
Thanks for the replies.
I still could not get Bro to work though. I am trying to save a gif
file since I thought this would cause less confusion with the file
MIME and extension. I disabled TCP checksum offloading as Doug
suggested. I ran Bro as:
sudo ./bro -C -i eth1 "HTTP::extract_file_types=/.*\.gif/"
I then pointed my browser to a gif image. The entry for the image
appears in http.log but the image does not get saved. I am sure that
the interface is correct. What else can go wrong?
Thanks
On Tue, Sep 18, 2012 at 10:53 AM, Seth Hall <seth at icir.org> wrote:
>
> On Sep 18, 2012, at 1:43 PM, Doug Burks <doug.burks at gmail.com> wrote:
>
>> The blank fields in http.log could be the result of checksum offloading:
>> http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html
>> Doug
>
>
> Hah! Good catch Doug. Ironically, the file extraction as he's doing it will still work fine.
>
> Abhishek, you can have Bro ignore checksums with the -C command line argument, but you definitely do not want to run Bro in production with that argument because it opens the door to easy evasions.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
More information about the Bro
mailing list