[Bro] HTTP not being seen
Doug Burks
doug.burks at gmail.com
Fri Sep 13 11:45:47 PDT 2013
Hi James,
Is it possible you're seeing the effects of NIC offloading features?
http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html
On Fri, Sep 13, 2013 at 2:12 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> Hey all,
>
> Topic says it...it's very strange..new install on a different box..I
> see the below:
>
> [12:08:56 gateway:~/current$] ls -l
> total 64
> -rw-r--r-- 1 root root 3914 Sep 13 12:08 communication.log
> -rw-r--r-- 1 root root 4082 Sep 13 12:08 conn.log
> -rw-r--r-- 1 root root 12521 Sep 13 12:08 dns.log
> -rw-r--r-- 1 root root 396 Sep 13 12:08 dpd.log
> -rw-r--r-- 1 root root 8691 Sep 13 12:05 loaded_scripts.log
> -rw-r--r-- 1 root root 1101 Sep 13 12:05 notice_policy.log
> -rw-r--r-- 1 root root 224 Sep 13 12:05 packet_filter.log
> -rw-r--r-- 1 root root 699 Sep 13 12:08 ssl.log
> -rw-r--r-- 1 root root 46 Sep 13 12:05 stderr.log
> -rw-r--r-- 1 root root 30 Sep 13 12:05 stdout.log
> -rw-r--r-- 1 root root 717 Sep 13 12:07 weird.log
>
> I even see:
>
> 2013-09-13T12:05:46-0600 8GxbB0zXe0g x.x.x.x 53547
> 74.125.129.99 80 tcp - - - - OTH
> F 0 C 0 0 0 0 (empty)
>
> 2013-09-13T12:05:46-0600 HQym3XmcURj x.x.x.x 36086
> 205.171.2.25 53 udp 59556 www.google.com 1
> C_INTERNET 1 A 0 NOERROR F F T
> T 0
> 74.125.129.99,74.125.129.104,74.125.129.105,74.125.129.147,74.125.129.103,74.125.129.106
> 297.000000,297.000000,297.000000,297.000000,297.000000,297.000000
>
> loaded_scripts.log shows:
>
> [12:10:26 gateway:~/current$] grep http loaded_scripts.log
> /usr/local/bro/share/bro/base/protocols/http/__load__.bro
> /usr/local/bro/share/bro/base/protocols/http/./main.bro
> /usr/local/bro/share/bro/base/protocols/http/./utils.bro
> /usr/local/bro/share/bro/base/protocols/http/./file-ident.bro
> /usr/local/bro/share/bro/base/protocols/http/./file-hash.bro
> /usr/local/bro/share/bro/base/protocols/http/./file-extract.bro
> /usr/local/bro/share/bro/policy/protocols/http/software.bro
> /usr/local/bro/share/bro/policy/protocols/http/detect-MHR.bro
>
> But http.log is still not created. Anything I'm missing here or
> something I can do to troubleshoot on this end? This is running on
> ppp0. Thank you.
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Doug Burks
http://securityonion.blogspot.com
More information about the Bro
mailing list