[Bro] HTTP not being seen

Doug Burks doug.burks at gmail.com
Fri Sep 13 11:45:47 PDT 2013


Hi James,

Is it possible you're seeing the effects of NIC offloading features?
http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html

On Fri, Sep 13, 2013 at 2:12 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> Hey all,
>
> Topic says it...it's very strange..new install on a different box..I
> see the below:
>
> [12:08:56 gateway:~/current$] ls -l
> total 64
> -rw-r--r-- 1 root root  3914 Sep 13 12:08 communication.log
> -rw-r--r-- 1 root root  4082 Sep 13 12:08 conn.log
> -rw-r--r-- 1 root root 12521 Sep 13 12:08 dns.log
> -rw-r--r-- 1 root root   396 Sep 13 12:08 dpd.log
> -rw-r--r-- 1 root root  8691 Sep 13 12:05 loaded_scripts.log
> -rw-r--r-- 1 root root  1101 Sep 13 12:05 notice_policy.log
> -rw-r--r-- 1 root root   224 Sep 13 12:05 packet_filter.log
> -rw-r--r-- 1 root root   699 Sep 13 12:08 ssl.log
> -rw-r--r-- 1 root root    46 Sep 13 12:05 stderr.log
> -rw-r--r-- 1 root root    30 Sep 13 12:05 stdout.log
> -rw-r--r-- 1 root root   717 Sep 13 12:07 weird.log
>
> I even see:
>
> 2013-09-13T12:05:46-0600        8GxbB0zXe0g     x.x.x.x    53547
> 74.125.129.99   80      tcp     -       -       -       -       OTH
> F       0       C       0       0       0       0       (empty)
>
> 2013-09-13T12:05:46-0600        HQym3XmcURj     x.x.x.x    36086
> 205.171.2.25    53      udp     59556   www.google.com  1
> C_INTERNET      1       A       0       NOERROR F       F       T
> T       0
> 74.125.129.99,74.125.129.104,74.125.129.105,74.125.129.147,74.125.129.103,74.125.129.106
>   297.000000,297.000000,297.000000,297.000000,297.000000,297.000000
>
> loaded_scripts.log shows:
>
> [12:10:26 gateway:~/current$] grep http loaded_scripts.log
>    /usr/local/bro/share/bro/base/protocols/http/__load__.bro
>      /usr/local/bro/share/bro/base/protocols/http/./main.bro
>      /usr/local/bro/share/bro/base/protocols/http/./utils.bro
>      /usr/local/bro/share/bro/base/protocols/http/./file-ident.bro
>      /usr/local/bro/share/bro/base/protocols/http/./file-hash.bro
>      /usr/local/bro/share/bro/base/protocols/http/./file-extract.bro
>    /usr/local/bro/share/bro/policy/protocols/http/software.bro
>    /usr/local/bro/share/bro/policy/protocols/http/detect-MHR.bro
>
> But http.log is still not created.  Anything I'm missing here or
> something I can do to troubleshoot on this end?  This is running on
> ppp0.  Thank you.
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



-- 
Doug Burks
http://securityonion.blogspot.com



More information about the Bro mailing list