[Bro] HTTP responses details are missing
BortolameottiR
r.bortolameotti at utwente.nl
Tue Nov 14 10:09:47 PST 2017
Dear all,
I have a simple question. When I run bro against a .pcap file, it
happens that some log lines do not show any detail regarding the
response e.g., response_body_len, status_msg, status_code, resp_fuids
etc. Is it a problem of the HTTP analyzer?
I am currently trying to extract all the text/files of all responses,
however it seems that some connections responses are not parsed by the
HTTP analyzer.
I tried to extract the files (following the scripts below), however also
in these settings some "files" where missing. In my case I am talking
about .css / .html / .js in the response content.
-
https://www.bro.org/sphinx/scripts/policy/frameworks/files/extract-all-files.bro.html
- https://www.bro.org/sphinx-git/httpmonitor/index.html (at the bottom)
When you look in conn.log, the same connection (according to the id)
shows the amount of bytes of the response. If you inspect the file using
Wireshark you can also see that there was a response.
Any idea on what could be the issue?
I can even share the .pcap if needed.
Best,
R.
More information about the Bro
mailing list