[Bro] Blank HTTP logs
Josh Guild
josh.guild at morphick.com
Wed Mar 22 11:30:11 PDT 2017
Howdy all,
I've been running into an issue with the http.log not populating fields
(method, host, uri, referrer, UA) when spanned. I'm still getting the
status_code and status_msg populated in the http.log and I've read an
ancient article where Seth says this may be because of TCP checksum
offloadin. (
https://groups.google.com/forum/#!topic/security-onion/12jqLwMShUo).
We currently have rx/tx-checksumming disabled on the ports we're monitoring
but rx/tx-vlan-offload is enabled, could this be the culprit?
The largest entries in the weird.log are windo_recision,
data_before_established, and possible_split_routing.
Any help would be much appreciated!
--
Josh Guild
Network Intelligence Analyst
<https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170322/f1bc04fc/attachment.html
More information about the Bro
mailing list