[Bro] How to detect transparent proxy by BRO IDS (2.4.1)

Johanna Amann johanna at icir.org
Tue Oct 25 12:02:09 PDT 2016

Hi Hafiz,

there is no reason why Bro should not log HTTP sessions when there is a
transparent proxy (which, as the name suggest, should also be transparent
to Bro). Hence I assume there is something different going on.

Do your conn.log entries look like Bro sees entire TCP sessions?


On Mon, Oct 24, 2016 at 09:36:08AM +0500, Hafiz Shafiq wrote:
> Sir,
> Our network administrator is using proxy in transparent mode (SQUID). In
> this mode , there is no need for user to configure proxy option on his
> computer. I have captured few hours traffic via tcpdump and when I run bro,
> to know about http trafffic and defferent apps used (like google, youtube
> etc.). I am amazed to know that there is even not http.log and
> app_stats.log files generated. Is it some problem in bro configuration. I
> have searched from its manual, infomation given about proxy could not solve
> my problem. I have checked load_scripts.log. I shows that http analyzer is
> loaded.
> Can you please guide me about this issue ?
> Regards
> Hafiz Muhammad Shafiq

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list