[Bro] Blank HTTP logs

Josh Guild josh.guild at morphick.com
Wed Mar 22 11:30:11 PDT 2017


Howdy all,

I've been running into an issue with the http.log not populating fields
(method, host, uri, referrer, UA) when spanned. I'm still getting the
status_code and status_msg populated in the http.log and I've read an
ancient article where Seth says this may be because of TCP checksum
offloadin. (
https://groups.google.com/forum/#!topic/security-onion/12jqLwMShUo).

We currently have rx/tx-checksumming disabled on the ports we're monitoring
but rx/tx-vlan-offload is enabled, could this be the culprit?

The largest entries in the weird.log are windo_recision,
data_before_established, and possible_split_routing.

Any help would be much appreciated!

-- 
Josh Guild
Network Intelligence Analyst
<https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170322/f1bc04fc/attachment.html 


More information about the Bro mailing list