[Bro] unmatched_HTTP_reply in weird.log
Justin Azoff
JAzoff at albany.edu
Thu Jul 24 12:09:17 PDT 2014
On Thu, Jul 24, 2014 at 01:51:05PM -0500, Gary Faulkner wrote:
> Hello,
>
> Recently my Bro cluster started producing a lot of unmatched_HTTP_reply
> messages in weird.log and seemed to also stop logging outbound GET
> requests in http.log. I did some testing by following both Bro logs as I
> browsed to various websites and it looks like every time I visit a new
> site, the initial GET request doesn't get logged and a weird is
> generated. As such I'm wondering if this may be an indication that Bro
> is only seeing half the conversation? I can trace the change in logging
> behavior to a specific day, but I can't find any indication that there
> were any changes locally that would have stopped Bro from seeing any
> particular traffic. Anyone thoughts? Am I interpreting the logs correctly?
>
> Regards,
> Gary
Most likely this is a problem upstream from Bro.
To rule out bro as a problem here do something like
tcpdump -nn -i eth1 host your.ip.address and port 80
if you only see one side of the conversion in tcpdump as well that will
rule bro out as the problem.
--
-- Justin Azoff
More information about the Bro
mailing list