[Bro] bro http/ssl question
Azoff, Justin S
jazoff at illinois.edu
Thu Mar 17 06:29:13 PDT 2016
> On Mar 16, 2016, at 9:21 PM, Dk Jack <dnj0496 at gmail.com> wrote:
>
> What I've noticed is that (although the traffic volume is relatively the same on both interfaces) the
> connections are not showing up in the http.log. Although, some of them do show up (less than 1%
> of the traffic). The ssl.log shows a record for each connections. I am suspecting that un-encrypted
> http traffic received on port 443 is being parsed as ssl traffic by Bro.
>
That port doesn't matter...
Does that decryption device send correct tcp checksums? The lack of proper checksums would explain why most of the traffic is missing.
See https://www.bro.org/documentation/faq.html#why-isn-t-bro-producing-the-logs-i-expect-a-note-about-checksums
If the traffic was being received on the same interface I'd say that this probably wouldn't work at all since the tcp reassembler would get horribly confused, but since separate processes are receiving the different streams I think it should work.
you say that the unencrypted connections are not showing up in http.log, are they showing up in the conn.log?
--
- Justin Azoff
More information about the Bro
mailing list