[Bro] HTTP not being seen
Schoenefeld, Keith P.
Keith_Schoenefeld at baylor.edu
Fri Sep 13 14:41:57 PDT 2013
I'd point out that the conn.log file lines included in his email indicate that the received and sent bytes are 0, and the connection state is borked -- I believe this would prevent it from being detected as http traffic, and therefore not create an http.log file.
-- KS
-----Original Message-----
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of James Lay
Sent: Friday, September 13, 2013 4:37 PM
To: Keith Butler
Cc: <bro at bro.org>
Subject: Re: [Bro] HTTP not being seen
Hi Keith,
Just ran that http.pcap...looked great in my http.log:
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer user_agent request_body_len response_body_len status_code status_msg info_code info_msg filename tags username password proxied mime_type md5 extraction_file
#types time string addr port addr port count string string string string string count count count string count string string table[enum] string string table[string] string string file
1320279566.452687 JIDwiHjbv85 192.168.2.76 52026 132.235.215.119 80 1 GET www.reddit.com / - Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0.1) Gecko/20100101 Firefox/7.0.1 0 109978 200 OK - - - (empty) - - - text/html - -
1320279566.831619 VKdyryoPlil 192.168.2.76 52030 72.21.211.173 80 1 GET e.thumbs.redditmedia.com /E-pbDbmiBclPkDaX.jpg http://www.reddit.com/ Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0.1) Gecko/20100101 Firefox/7.0.1 0 2300 200 OK - - - (empty) - - - image/jpeg - -
Thank you.
James
On Sep 13, 2013, at 15:27, Keith Butler <kebutler at gmail.com> wrote:
> In line with Doug's suggestion, can you try a known good source of traffic? For example a packet trace from Bro Workshop:
> The first exercise on the following page has an http.pcap file:
> http://www.bro.org/bro-workshop-2011/exercises/logs/index.html
>
> Here is the direct link:
> http://www.bro.org/bro-workshop-2011/exercises/logs/http.pcap
>
> Try running:
> $ /path/to/your/bro -r http.pcap
>
> and see what happens?
>
> -kb
>
>
> On Sep 13, 2013, at 3:50 PM, James Lay <jlay at slave-tothe-box.net> wrote:
>
>> On 2013-09-13 13:31, Liam Randall wrote:
>>> Lets enable your capture loss and see what happens:
>>>
>>> Add the following to your local.bro; on security onion it will be
>>> located at /opt/bro/share/bro/site/
>>>
>>> # count the ACKs, tell me the # and % I am missing @load
>>> misc/capture-loss.bro
>>>
>>> # By default capture-loss reports every 15 minutes, lets turn it up
>>> redef CaptureLoss::watch_interval = 1 min;
>>>
>>> Give it a couple of minutes and see what the log says under:
>>>
>>> /nsm/bro/logs/capture_loss.log
>>>
>>> You will see per worker statistics written every minute.
>>>
>>> Let us know.
>>>
>>> Thanks,
>>>
>>> Liam Randall
>>
>>
>> Thanks Liam...here's what I got:
>> #fields ts ts_delta peer gaps acks percent_lost
>> #types time interval string count count string
>> 2013-09-13T13:34:59-0600 60.000084 bro 0 16
>> 0.000%
>> 2013-09-13T13:35:59-0600 60.000044 bro 0 0
>> 0.000%
>> 2013-09-13T13:36:59-0600 60.000048 bro 0 14
>> 0.000%
>> 2013-09-13T13:37:59-0600 60.000048 bro 1 1
>> 100.000%
>> 2013-09-13T13:38:59-0600 60.000038 bro 0 0
>> 0.000%
>> 2013-09-13T13:39:59-0600 60.000050 bro 0 0
>> 0.000%
>> 2013-09-13T13:40:59-0600 60.000093 bro 0 0
>> 0.000%
>> 2013-09-13T13:41:59-0600 60.000023 bro 0 0
>> 0.000%
>> 2013-09-13T13:42:59-0600 60.000022 bro 0 0
>> 0.000%
>> 2013-09-13T13:43:59-0600 60.000023 bro 0 0
>> 0.000%
>> 2013-09-13T13:44:59-0600 60.000089 bro 0 0
>> 0.000%
>> 2013-09-13T13:45:59-0600 60.000073 bro 0 0
>> 0.000%
>> 2013-09-13T13:46:59-0600 60.000011 bro 0 0
>> 0.000%
>>
>> Bro entries:
>> 2013-09-13T13:45:33-0600 dPCMEyJBiU7 x.x.x.x 47285
>> 50.18.192.250 80 tcp - - - - OTH
>> - 0 C 0 0 0 0 (empty)
>> 2013-09-13T13:45:33-0600 PFUbImVSSZ2 x.x.x.x 35306
>> 205.171.2.25 53 udp 63725 www.duckduckgo.com 1
>> C_INTERNET 1 A 0 NOERROR F F T
>> T 0 duckduckgo.com,50.18.192.250,50.18.192.251
>> 900.000000,25.000000,25.000000
>> 2013-09-13T13:45:34-0600 8ZduhgTSjm6 x.x.x.x 37025
>> 205.171.2.25 53 udp 35309 duckduckgo.com 1
>> C_INTERNET 1 A 0 NOERROR F F T
>> T 0 50.18.192.251,50.18.192.250 24.000000,24.000000
>> 2013-09-13T13:45:34-0600 dPCMEyJBiU7 x.x.x.x 47285
>> 50.18.192.250 80 active_connection_reuse - F bro
>>
>>
>> Wget info:
>> [13:45:20 gateway:~$] wget www.duckduckgo.com
>> --2013-09-13 13:45:33-- http://www.duckduckgo.com/ Resolving
>> www.duckduckgo.com (www.duckduckgo.com)... 50.18.192.250,
>> 50.18.192.251
>> Connecting to www.duckduckgo.com
>> (www.duckduckgo.com)|50.18.192.250|:80... connected.
>> HTTP request sent, awaiting response... 301 Moved Permanently
>> Location: https://duckduckgo.com/ [following]
>> --2013-09-13 13:45:34-- https://duckduckgo.com/ Resolving
>> duckduckgo.com (duckduckgo.com)... 50.18.192.251,
>> 50.18.192.250
>> Connecting to duckduckgo.com (duckduckgo.com)|50.18.192.251|:443...
>> connected.
>> HTTP request sent, awaiting response... 200 OK
>> Length: 8646 (8.4K) [text/html]
>> Saving to: `index.html'
>>
>> 100%[=========================>] 8,646 --.-K/s in 0s
>>
>> 2013-09-13 13:45:34 (86.8 MB/s) - `index.html' saved [8646/8646]
>>
>>
>> Tshark info:
>> 2013-09-13 13:45:33.991079 x.x.x.x -> 50.18.192.250 TCP 76 47285 > 80
>> [SYN] Seq=0 Win=14520 Len=0 MSS=1452 SACK_PERM=1 TSval=147157135
>> TSecr=0
>> WS=16
>> 2013-09-13 13:45:34.035256 50.18.192.250 -> x.x.x.x TCP 76 80 > 47285
>> [SYN, ACK] Seq=0 Ack=1 Win=7240 Len=0 MSS=1460 SACK_PERM=1
>> TSval=23107600 TSecr=147157135 WS=1
>> 2013-09-13 13:45:34.035375 x.x.x.x -> 50.18.192.250 TCP 68 47285 > 80
>> [ACK] Seq=1 Ack=1 Win=14528 Len=0 TSval=147157146 TSecr=23107600
>> 2013-09-13 13:45:34.035595 x.x.x.x -> 50.18.192.250 HTTP 186 GET /
>> HTTP/1.1
>> 2013-09-13 13:45:34.082121 50.18.192.250 -> x.x.x.x TCP 68 80 > 47285
>> [ACK] Seq=1 Ack=119 Win=7122 Len=0 TSval=23107612 TSecr=147157146
>> 2013-09-13 13:45:34.082132 50.18.192.250 -> x.x.x.x HTTP 503 HTTP/1.1
>> 301 Moved Permanently (text/html)
>> 2013-09-13 13:45:34.082241 x.x.x.x -> 50.18.192.250 TCP 68 47285 > 80
>> [ACK] Seq=119 Ack=436 Win=15600 Len=0 TSval=147157158 TSecr=23107612
>> 2013-09-13 13:45:34.446981 x.x.x.x -> 50.18.192.250 TCP 68 47285 > 80
>> [FIN, ACK] Seq=119 Ack=436 Win=15600 Len=0 TSval=147157249
>> TSecr=23107612
>> 2013-09-13 13:45:34.492112 50.18.192.250 -> x.x.x.x TCP 68 80 > 47285
>> [FIN, ACK] Seq=436 Ack=120 Win=7121 Len=0 TSval=23107714
>> TSecr=147157249
>> 2013-09-13 13:45:34.492164 x.x.x.x -> 50.18.192.250 TCP 68 47285 > 80
>> [ACK] Seq=120 Ack=437 Win=15600 Len=0 TSval=147157260 TSecr=23107714
>>
>> Not sure what to think...it's very strange. Thanks again.
>>
>> James
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list