[Bro] - http$host diff between bro and broctl

Azoff, Justin S jazoff at illinois.edu
Wed Jun 21 14:17:05 PDT 2017


> On Jun 21, 2017, at 12:29 PM, william de ping <bill.de.ping at gmail.com> wrote:
> 
> Hi all,
> 
> Scenario 1 : bro instance on my local interface + browsing to www.bbc.com
> Scenario 2 : bro cluster with a single Worker on my local interface + browsing to www.cnn.com
> 
> in http.log,
> on the 1st scenario, the host field is initialized with www.bbc.com
> on the 2nd scenario, the host field is NOT initialized
> 
> I'm running bro 2.5
> 
> Is there any explanation for the diff ?

You're probably starting bro differently in the two cases.

https://www.bro.org/documentation/faq.html#why-isn-t-bro-producing-the-logs-i-expect-a-note-about-checksums

-- 
- Justin Azoff




More information about the Bro mailing list