[Bro] Bro Not Extracting Host Fields from HTTP Traffic
Arash Fallah
af7 at umbc.edu
Tue Jul 12 08:16:06 PDT 2016
I'm having an issue where Bro is not extracting the host field correctly
from captured HTTP traffic (in the form of a PCAP). I've verified it has
nothing to do with split-routing. I also manually examined the PCAP file
using Wireshark and found the host field to be present in all instances. I
am a bit puzzled. This is significant for our use case because we will be
using Bro to monitor for malicious URLs and the like.
I have my http.log, weird.log, and the PCAP file itself. Unfortunately, I
cannot attach the PCAP due to its size and the mail list rejecting the
message. Please reply and I will send the PCAP individually.
Any advice is appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160712/05cf5d18/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: http.log
Type: text/x-log
Size: 13961 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160712/05cf5d18/attachment-0002.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: weird.log
Type: text/x-log
Size: 36202 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160712/05cf5d18/attachment-0003.bin
More information about the Bro
mailing list