[Bro] HTTP not being seen
James Lay
jlay at slave-tothe-box.net
Fri Sep 13 11:33:50 PDT 2013
On 2013-09-13 12:12, James Lay wrote:
> Hey all,
>
> Topic says it...it's very strange..new install on a different box..I
> see the below:
>
> [12:08:56 gateway:~/current$] ls -l
> total 64
> -rw-r--r-- 1 root root 3914 Sep 13 12:08 communication.log
> -rw-r--r-- 1 root root 4082 Sep 13 12:08 conn.log
> -rw-r--r-- 1 root root 12521 Sep 13 12:08 dns.log
> -rw-r--r-- 1 root root 396 Sep 13 12:08 dpd.log
> -rw-r--r-- 1 root root 8691 Sep 13 12:05 loaded_scripts.log
> -rw-r--r-- 1 root root 1101 Sep 13 12:05 notice_policy.log
> -rw-r--r-- 1 root root 224 Sep 13 12:05 packet_filter.log
> -rw-r--r-- 1 root root 699 Sep 13 12:08 ssl.log
> -rw-r--r-- 1 root root 46 Sep 13 12:05 stderr.log
> -rw-r--r-- 1 root root 30 Sep 13 12:05 stdout.log
> -rw-r--r-- 1 root root 717 Sep 13 12:07 weird.log
>
> I even see:
>
> 2013-09-13T12:05:46-0600 8GxbB0zXe0g x.x.x.x 53547
> 74.125.129.99 80 tcp - - - - OTH
> F 0 C 0 0 0 0 (empty)
>
> 2013-09-13T12:05:46-0600 HQym3XmcURj x.x.x.x 36086
> 205.171.2.25 53 udp 59556 www.google.com 1
> C_INTERNET 1 A 0 NOERROR F F T
> T 0
>
> 74.125.129.99,74.125.129.104,74.125.129.105,74.125.129.147,74.125.129.103,74.125.129.106
>
> 297.000000,297.000000,297.000000,297.000000,297.000000,297.000000
>
> loaded_scripts.log shows:
>
> [12:10:26 gateway:~/current$] grep http loaded_scripts.log
> /usr/local/bro/share/bro/base/protocols/http/__load__.bro
> /usr/local/bro/share/bro/base/protocols/http/./main.bro
> /usr/local/bro/share/bro/base/protocols/http/./utils.bro
> /usr/local/bro/share/bro/base/protocols/http/./file-ident.bro
> /usr/local/bro/share/bro/base/protocols/http/./file-hash.bro
> /usr/local/bro/share/bro/base/protocols/http/./file-extract.bro
> /usr/local/bro/share/bro/policy/protocols/http/software.bro
> /usr/local/bro/share/bro/policy/protocols/http/detect-MHR.bro
>
> But http.log is still not created. Anything I'm missing here or
> something I can do to troubleshoot on this end? This is running on
> ppp0. Thank you.
Well...it IS being created...however, certain things don't seem to be
logged. Example:
[12:27:34 gateway:~$] wget www.amazon.com
--2013-09-13 12:30:59-- http://www.amazon.com/
Resolving www.amazon.com (www.amazon.com)... 72.21.194.212
Connecting to www.amazon.com (www.amazon.com)|72.21.194.212|:80...
connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `index.html.1'
[ <=> ] 233,456 271K/s in 0.8s
2013-09-13 12:31:01 (271 KB/s) - `index.html' saved [233456]
And bro shows the below:
2013-09-13T12:30:59-0600 51V4hVkz1le x.x.x.x 36471
72.21.194.212 80 tcp - - - - OTH
F 0 C 0 0 0 0 (empty)
2013-09-13T12:30:59-0600 gSRjffzGzGj x.x.x.x 52571
205.171.2.25 53 udp 311 www.amazon.com 1
C_INTERNET 1 A 0 NOERROR F F T
T 0 72.21.194.212 34.000000
2013-09-13T12:31:00-0600 51V4hVkz1le x.x.x.x 36471
72.21.194.212 80 active_connection_reuse - F bro
Not sure why it's telling me it's an active connection reuse instead of
logging the http traffic.
James
More information about the Bro
mailing list