[Bro] What goes into http_log?

Chris Doman chris.doman at cantab.net
Wed Aug 7 03:16:04 PDT 2013


Hi all,

 Does anyone know if http_log records everything from port 80, or anything
detected as the HTTP protocol etc?

I'm asking as I would like to detect software that communicates over port
80 or 8080 but that isn't infact using HTTP (some beaconing malware for
example communicates over port 80).

 And similarly it would be very useful to be able to detect non SSL over
port 443. I'm thinking that checking for ssl.log where cipher="-" might be
a good idea, if ssl.log records everything over port 443.

 Apologies if this has been answered before, I couldn't find the answer
from a quick google and code check.

Thanks,
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130807/87a24dae/attachment.html 


More information about the Bro mailing list