[Bro] http incomplete file extraction (Files::ANALYZER_EXTRACT)
Siwek, Jon
jsiwek at illinois.edu
Mon Mar 30 09:54:38 PDT 2015
> On Mar 30, 2015, at 1:31 AM, Frank Meier <franky.meier.1 at gmx.de> wrote:
>
> I was also wondering, why the correct size is in the logs. If data was missing I would
> at least have exspected a warning or some missing_bytes.
In files.log, the value of total_bytes is just taken from the HTTP Content-Length header. Since the value of seen_bytes is less than total_bytes, you can suspect Bro didn’t see the full file for some reason. Do you have a weird.log containing any obvious clues? Else, I may need the original pcap to understand what went wrong.
- Jon
More information about the Bro
mailing list