[Bro] bro http message verbosity
Azoff, Justin S
jazoff at illinois.edu
Mon Nov 27 09:16:30 PST 2017
> On Nov 27, 2017, at 7:24 AM, Mehmet EKICI <mekici at netas.com.tr> wrote:
>
> Hi All,
> We are trying to use bro to monitor http messages on a wire. We are getting very coarse logs and wonder how can we increase verbosity to see all the parsed message details in the log.
>
> Bro version is 2.4.1
2.4.1 is over 2 years old at this point, You should be on 2.5.x, or minimally, 2.4.2
>
> Here are some example messages we get;
>
> {"ts":"2017-11-27T12:14:29.850476Z","uid":"CvtiHbXu0dt9pdFMa","id.orig_h":"10.2.150.237","id.orig_p":42798,"id.resp_h":"10.2.150.226","id.resp_p":9441,"name":"inappropriate_FIN","notice":false,"peer":"bro"}
> {"ts":"2017-11-27T12:14:33.578491Z","uid":"CuGJzp3JYtJLxu3NN1","id.orig_h":"10.2.150.226","id.orig_p":54376,"id.resp_h":"10.2.150.228","id.resp_p":6188,"name":"active_connection_reuse","notice":false,"peer":"bro"}
> {"ts":"2017-11-27T12:14:33.578491Z","uid":"COJykR3r39KwcvIPae","id.orig_h":"10.2.150.228","id.orig_p":6188,"id.resp_h":"10.2.150.226","id.resp_p":54376,"name":"data_before_established","notice":false,"peer":"bro"}
> {"ts":"2017-11-27T12:14:41.454466Z","uid":"CuKy3C1TkabD0KvC26","id.orig_h":"10.2.150.227","id.orig_p":38672,"id.resp_h":"10.2.150.226","id.resp_p":8020,"name":"data_before_established","notice":false,"peer":"bro"}
> {"ts":"2017-11-27T12:14:43.578437Z","uid":"CFLCdn2bwXadx8g0al","id.orig_h":"10.2.150.226","id.orig_p":54378,"id.resp_h":"10.2.150.228","id.resp_p":6188,"name":"active_connection_reuse","notice":false,"peer":"bro"}
> {"ts":"2017-11-27T12:14:43.578437Z","uid":"CKZBqUlmUlkdtvMDd","id.orig_h":"10.2.150.228","id.orig_p":6188,"id.resp_h":"10.2.150.226","id.resp_p":54378,"name":"data_before_established","notice":false,"peer":"bro"}
>
Well, that's the weird.log, not the http.log. The http.log will have http related entries. If you're still not seeing what you expect there, it's probably because of
https://www.bro.org/documentation/faq.html#why-isn-t-bro-producing-the-logs-i-expect-a-note-about-checksums
—
Justin Azoff
More information about the Bro
mailing list