[Bro] Blank HTTP logs
Seth Hall
seth at corelight.com
Wed Mar 22 12:07:45 PDT 2017
I suspect that your span port is only capturing one direction of the
traffic. All of the fields that you said are missing are from the client
Check your conn log to see if you're seeing orig_pkts or resp_pkts
frequently set to zero.
.Seth
On Wed, Mar 22, 2017 at 2:32 PM Josh Guild <josh.guild at morphick.com> wrote:
> Howdy all,
>
> I've been running into an issue with the http.log not populating fields
> (method, host, uri, referrer, UA) when spanned. I'm still getting the
> status_code and status_msg populated in the http.log and I've read an
> ancient article where Seth says this may be because of TCP checksum
> offloadin. (
> https://groups.google.com/forum/#!topic/security-onion/12jqLwMShUo).
>
> We currently have rx/tx-checksumming disabled on the ports we're
> monitoring but rx/tx-vlan-offload is enabled, could this be the culprit?
>
> The largest entries in the weird.log are windo_recision,
> data_before_established, and possible_split_routing.
>
> Any help would be much appreciated!
>
> --
> Josh Guild
> Network Intelligence Analyst
> <https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170322/2cbf5709/attachment.html
More information about the Bro
mailing list