[Bro] HTTP not being seen
James Lay
jlay at slave-tothe-box.net
Fri Sep 13 11:12:37 PDT 2013
Hey all,
Topic says it...it's very strange..new install on a different box..I
see the below:
[12:08:56 gateway:~/current$] ls -l
total 64
-rw-r--r-- 1 root root 3914 Sep 13 12:08 communication.log
-rw-r--r-- 1 root root 4082 Sep 13 12:08 conn.log
-rw-r--r-- 1 root root 12521 Sep 13 12:08 dns.log
-rw-r--r-- 1 root root 396 Sep 13 12:08 dpd.log
-rw-r--r-- 1 root root 8691 Sep 13 12:05 loaded_scripts.log
-rw-r--r-- 1 root root 1101 Sep 13 12:05 notice_policy.log
-rw-r--r-- 1 root root 224 Sep 13 12:05 packet_filter.log
-rw-r--r-- 1 root root 699 Sep 13 12:08 ssl.log
-rw-r--r-- 1 root root 46 Sep 13 12:05 stderr.log
-rw-r--r-- 1 root root 30 Sep 13 12:05 stdout.log
-rw-r--r-- 1 root root 717 Sep 13 12:07 weird.log
I even see:
2013-09-13T12:05:46-0600 8GxbB0zXe0g x.x.x.x 53547
74.125.129.99 80 tcp - - - - OTH
F 0 C 0 0 0 0 (empty)
2013-09-13T12:05:46-0600 HQym3XmcURj x.x.x.x 36086
205.171.2.25 53 udp 59556 www.google.com 1
C_INTERNET 1 A 0 NOERROR F F T
T 0
74.125.129.99,74.125.129.104,74.125.129.105,74.125.129.147,74.125.129.103,74.125.129.106
297.000000,297.000000,297.000000,297.000000,297.000000,297.000000
loaded_scripts.log shows:
[12:10:26 gateway:~/current$] grep http loaded_scripts.log
/usr/local/bro/share/bro/base/protocols/http/__load__.bro
/usr/local/bro/share/bro/base/protocols/http/./main.bro
/usr/local/bro/share/bro/base/protocols/http/./utils.bro
/usr/local/bro/share/bro/base/protocols/http/./file-ident.bro
/usr/local/bro/share/bro/base/protocols/http/./file-hash.bro
/usr/local/bro/share/bro/base/protocols/http/./file-extract.bro
/usr/local/bro/share/bro/policy/protocols/http/software.bro
/usr/local/bro/share/bro/policy/protocols/http/detect-MHR.bro
But http.log is still not created. Anything I'm missing here or
something I can do to troubleshoot on this end? This is running on
ppp0. Thank you.
James
More information about the Bro
mailing list