[Bro] unmatched_HTTP_reply in weird.log
Gary Faulkner
gfaulkner.nsm at gmail.com
Thu Jul 24 11:51:05 PDT 2014
Hello,
Recently my Bro cluster started producing a lot of unmatched_HTTP_reply
messages in weird.log and seemed to also stop logging outbound GET
requests in http.log. I did some testing by following both Bro logs as I
browsed to various websites and it looks like every time I visit a new
site, the initial GET request doesn't get logged and a weird is
generated. As such I'm wondering if this may be an indication that Bro
is only seeing half the conversation? I can trace the change in logging
behavior to a specific day, but I can't find any indication that there
were any changes locally that would have stopped Bro from seeing any
particular traffic. Anyone thoughts? Am I interpreting the logs correctly?
Regards,
Gary
More information about the Bro
mailing list