[Bro] HTTP responses details are missing

BortolameottiR r.bortolameotti at utwente.nl
Wed Nov 15 02:41:29 PST 2017


Hi Seth,

Thanks for the suggestion. That's was not the case. While I was
debugging I saw that most connections without files where missing bytes
(in the conn.log) and where present in the weird.log due to truncated TCP.

The .pcap in question was generated by replaying a capture (with tcp
replay), and we have injected some traffic in it. Bro apparently did not
like it. With the original .pcap we did not encounter this issue.

So the problem was not in Bro. :)

Thanks again,

Best regards,

Riccardo

On 11/14/2017 07:49 PM, Seth Hall wrote:
> It's most likely that you have had offloaded checksums when you
> captures the PCAP.  More information here:
>     https://www.bro.org/documentation/faq.html#why-isn-t-bro-producing-the-logs-i-expect-a-note-about-checksums
>
>
>   .Seth
>
> On 14 Nov 2017, at 13:09, BortolameottiR wrote:
>
>> Dear all,
>>
>> I have a simple question. When I run bro against a .pcap file, it
>> happens that some log lines do not show any detail regarding the
>> response e.g., response_body_len, status_msg, status_code, resp_fuids
>> etc. Is it a problem of the HTTP analyzer?
>>
>> I am currently trying to extract all the text/files of all responses,
>> however it seems that some connections responses are not parsed by the
>> HTTP analyzer.
>>
>> I tried to extract the files (following the scripts below), however also
>> in these settings some "files" where missing. In my case I am talking
>> about .css / .html / .js in the response content.
>>
>> -
>> https://www.bro.org/sphinx/scripts/policy/frameworks/files/extract-all-files.bro.html
>>
>>
>> - https://www.bro.org/sphinx-git/httpmonitor/index.html (at the bottom)
>>
>> When you look in conn.log, the same connection (according to the id)
>> shows the amount of bytes of the response. If you inspect the file using
>> Wireshark you can also see that there was a response. 
>>
>> Any idea on what could be the issue?
>>
>> I can even share the .pcap if needed.
>>
>> Best,
>>
>> R.
>>
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> -- 
> Seth Hall * Corelight, Inc * www.corelight.com





More information about the Bro mailing list