[Bro] HTTP not being seen

Schoenefeld, Keith P. Keith_Schoenefeld at baylor.edu
Fri Sep 13 14:41:57 PDT 2013 

I'd point out that the conn.log file lines included in his email indicate that the received and sent bytes are 0, and the connection state is borked -- I believe this would prevent it from being detected as http traffic, and therefore not create an http.log file.

-- KS

-----Original Message-----
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of James Lay
Sent: Friday, September 13, 2013 4:37 PM
To: Keith Butler
Cc: <bro at bro.org>
Subject: Re: [Bro] HTTP not being seen

Hi Keith,

Just ran that http.pcap...looked great in my http.log:

#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	user_agent	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	filename	tags	username	password	proxied	mime_type	md5	extraction_file
#types	time	string	addr	port	addr	port	count	string	string	string	string	string	count	count	count	string	count	string	string	table[enum]	string	string	table[string]	string	string	file
1320279566.452687	JIDwiHjbv85	192.168.2.76	52026	132.235.215.119	80	1	GET	www.reddit.com	/	-	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0.1) Gecko/20100101 Firefox/7.0.1	0	109978	200	OK	-	-	-	(empty)	-	-	-	text/html	-	-
1320279566.831619	VKdyryoPlil	192.168.2.76	52030	72.21.211.173	80	1	GET	e.thumbs.redditmedia.com	/E-pbDbmiBclPkDaX.jpg	http://www.reddit.com/	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0.1) Gecko/20100101 Firefox/7.0.1	0	2300	200	OK	-	-	-	(empty)	-	-	-	image/jpeg	-	-

Thank you.

James

On Sep 13, 2013, at 15:27, Keith Butler <kebutler at gmail.com> wrote:

> In line with Doug's suggestion, can you try a known good source of traffic?  For example a packet trace from Bro Workshop:
> The first exercise on the following page has an http.pcap file:
> http://www.bro.org/bro-workshop-2011/exercises/logs/index.html
> 
> Here is the direct link:
> http://www.bro.org/bro-workshop-2011/exercises/logs/http.pcap
> 
> Try running:
> $ /path/to/your/bro -r http.pcap
> 
> and see what happens?
> 
> -kb
> 
> 
> On Sep 13, 2013, at 3:50 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> 
>> On 2013-09-13 13:31, Liam Randall wrote:
>>> Lets enable your capture loss and see what happens:
>>> 
>>> Add the following to your local.bro; on security onion it will be 
>>> located at /opt/bro/share/bro/site/
>>> 
>>> # count the ACKs, tell me the # and % I am missing @load 
>>> misc/capture-loss.bro
>>> 
>>> # By default capture-loss reports every 15 minutes, lets turn it up 
>>> redef CaptureLoss::watch_interval = 1 min;
>>> 
>>> Give it a couple of minutes and see what the log says under:
>>> 
>>> /nsm/bro/logs/capture_loss.log
>>> 
>>> You will see per worker statistics written every minute.
>>> 
>>> Let us know.
>>> 
>>> Thanks,
>>> 
>>> Liam Randall
>> 
>> 
>> Thanks Liam...here's what I got:
>> #fields ts      ts_delta        peer    gaps    acks    percent_lost
>> #types  time    interval        string  count   count   string
>> 2013-09-13T13:34:59-0600        60.000084       bro     0       16      
>> 0.000%
>> 2013-09-13T13:35:59-0600        60.000044       bro     0       0       
>> 0.000%
>> 2013-09-13T13:36:59-0600        60.000048       bro     0       14      
>> 0.000%
>> 2013-09-13T13:37:59-0600        60.000048       bro     1       1       
>> 100.000%
>> 2013-09-13T13:38:59-0600        60.000038       bro     0       0       
>> 0.000%
>> 2013-09-13T13:39:59-0600        60.000050       bro     0       0       
>> 0.000%
>> 2013-09-13T13:40:59-0600        60.000093       bro     0       0       
>> 0.000%
>> 2013-09-13T13:41:59-0600        60.000023       bro     0       0       
>> 0.000%
>> 2013-09-13T13:42:59-0600        60.000022       bro     0       0       
>> 0.000%
>> 2013-09-13T13:43:59-0600        60.000023       bro     0       0       
>> 0.000%
>> 2013-09-13T13:44:59-0600        60.000089       bro     0       0       
>> 0.000%
>> 2013-09-13T13:45:59-0600        60.000073       bro     0       0       
>> 0.000%
>> 2013-09-13T13:46:59-0600        60.000011       bro     0       0       
>> 0.000%
>> 
>> Bro entries:
>> 2013-09-13T13:45:33-0600        dPCMEyJBiU7     x.x.x.x    47285   
>> 50.18.192.250   80      tcp     -       -       -       -       OTH     
>> -       0       C       0       0       0       0       (empty)
>> 2013-09-13T13:45:33-0600        PFUbImVSSZ2     x.x.x.x    35306   
>> 205.171.2.25    53      udp     63725   www.duckduckgo.com      1       
>> C_INTERNET      1       A       0       NOERROR F       F       T       
>> T       0       duckduckgo.com,50.18.192.250,50.18.192.251      
>> 900.000000,25.000000,25.000000
>> 2013-09-13T13:45:34-0600        8ZduhgTSjm6     x.x.x.x    37025   
>> 205.171.2.25    53      udp     35309   duckduckgo.com  1       
>> C_INTERNET      1       A       0       NOERROR F       F       T       
>> T       0       50.18.192.251,50.18.192.250     24.000000,24.000000
>> 2013-09-13T13:45:34-0600        dPCMEyJBiU7     x.x.x.x    47285   
>> 50.18.192.250   80      active_connection_reuse -       F       bro
>> 
>> 
>> Wget info:
>> [13:45:20 gateway:~$] wget www.duckduckgo.com
>> --2013-09-13 13:45:33--  http://www.duckduckgo.com/ Resolving 
>> www.duckduckgo.com (www.duckduckgo.com)... 50.18.192.250,
>> 50.18.192.251
>> Connecting to www.duckduckgo.com
>> (www.duckduckgo.com)|50.18.192.250|:80... connected.
>> HTTP request sent, awaiting response... 301 Moved Permanently
>> Location: https://duckduckgo.com/ [following]
>> --2013-09-13 13:45:34--  https://duckduckgo.com/ Resolving 
>> duckduckgo.com (duckduckgo.com)... 50.18.192.251,
>> 50.18.192.250
>> Connecting to duckduckgo.com (duckduckgo.com)|50.18.192.251|:443... 
>> connected.
>> HTTP request sent, awaiting response... 200 OK
>> Length: 8646 (8.4K) [text/html]
>> Saving to: `index.html'
>> 
>> 100%[=========================>] 8,646       --.-K/s   in 0s
>> 
>> 2013-09-13 13:45:34 (86.8 MB/s) - `index.html' saved [8646/8646]
>> 
>> 
>> Tshark info:
>> 2013-09-13 13:45:33.991079 x.x.x.x -> 50.18.192.250 TCP 76 47285 > 80 
>> [SYN] Seq=0 Win=14520 Len=0 MSS=1452 SACK_PERM=1 TSval=147157135 
>> TSecr=0
>> WS=16
>> 2013-09-13 13:45:34.035256 50.18.192.250 -> x.x.x.x TCP 76 80 > 47285 
>> [SYN, ACK] Seq=0 Ack=1 Win=7240 Len=0 MSS=1460 SACK_PERM=1
>> TSval=23107600 TSecr=147157135 WS=1
>> 2013-09-13 13:45:34.035375 x.x.x.x -> 50.18.192.250 TCP 68 47285 > 80 
>> [ACK] Seq=1 Ack=1 Win=14528 Len=0 TSval=147157146 TSecr=23107600
>> 2013-09-13 13:45:34.035595 x.x.x.x -> 50.18.192.250 HTTP 186 GET /
>> HTTP/1.1
>> 2013-09-13 13:45:34.082121 50.18.192.250 -> x.x.x.x TCP 68 80 > 47285 
>> [ACK] Seq=1 Ack=119 Win=7122 Len=0 TSval=23107612 TSecr=147157146
>> 2013-09-13 13:45:34.082132 50.18.192.250 -> x.x.x.x HTTP 503 HTTP/1.1
>> 301 Moved Permanently  (text/html)
>> 2013-09-13 13:45:34.082241 x.x.x.x -> 50.18.192.250 TCP 68 47285 > 80 
>> [ACK] Seq=119 Ack=436 Win=15600 Len=0 TSval=147157158 TSecr=23107612
>> 2013-09-13 13:45:34.446981 x.x.x.x -> 50.18.192.250 TCP 68 47285 > 80 
>> [FIN, ACK] Seq=119 Ack=436 Win=15600 Len=0 TSval=147157249
>> TSecr=23107612
>> 2013-09-13 13:45:34.492112 50.18.192.250 -> x.x.x.x TCP 68 80 > 47285 
>> [FIN, ACK] Seq=436 Ack=120 Win=7121 Len=0 TSval=23107714 
>> TSecr=147157249
>> 2013-09-13 13:45:34.492164 x.x.x.x -> 50.18.192.250 TCP 68 47285 > 80 
>> [ACK] Seq=120 Ack=437 Win=15600 Len=0 TSval=147157260 TSecr=23107714
>> 
>> Not sure what to think...it's very strange.  Thanks again.
>> 
>> James
>> 
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list