[Bro] bro http message verbosity

Dopheide, Jeannette M jdopheid at illinois.edu
Tue Nov 28 06:26:17 PST 2017 

Hello, Justin replied to this message yesterday:

On 11/27/17, 11:16 AM, "bro-bounces at bro.org on behalf of Azoff, Justin S" <bro-bounces at bro.org on behalf of jazoff at illinois.edu> wrote:

> On Nov 27, 2017, at 7:24 AM, Mehmet EKICI <mekici at netas.com.tr> wrote:
>
> Hi All,
> We are trying to use bro to monitor http messages on a wire. We are getting very coarse logs and wonder how can we increase verbosity to see all the parsed message details in the log.
>
> Bro version is 2.4.1

2.4.1 is over 2 years old at this point, You should be on 2.5.x, or minimally, 2.4.2

>
> Here are some example  messages we get;
>
> {"ts":"2017-11-27T12:14:29.850476Z","uid":"CvtiHbXu0dt9pdFMa","id.orig_h":"10.2.150.237","id.orig_p":42798,"id.resp_h":"10.2.150.226","id.resp_p":9441,"name":"inappropriate_FIN","notice":false,"peer":"bro"}
> {"ts":"2017-11-27T12:14:33.578491Z","uid":"CuGJzp3JYtJLxu3NN1","id.orig_h":"10.2.150.226","id.orig_p":54376,"id.resp_h":"10.2.150.228","id.resp_p":6188,"name":"active_connection_reuse","notice":false,"peer":"bro"}
> {"ts":"2017-11-27T12:14:33.578491Z","uid":"COJykR3r39KwcvIPae","id.orig_h":"10.2.150.228","id.orig_p":6188,"id.resp_h":"10.2.150.226","id.resp_p":54376,"name":"data_before_established","notice":false,"peer":"bro"}
> {"ts":"2017-11-27T12:14:41.454466Z","uid":"CuKy3C1TkabD0KvC26","id.orig_h":"10.2.150.227","id.orig_p":38672,"id.resp_h":"10.2.150.226","id.resp_p":8020,"name":"data_before_established","notice":false,"peer":"bro"}
> {"ts":"2017-11-27T12:14:43.578437Z","uid":"CFLCdn2bwXadx8g0al","id.orig_h":"10.2.150.226","id.orig_p":54378,"id.resp_h":"10.2.150.228","id.resp_p":6188,"name":"active_connection_reuse","notice":false,"peer":"bro"}
> {"ts":"2017-11-27T12:14:43.578437Z","uid":"CKZBqUlmUlkdtvMDd","id.orig_h":"10.2.150.228","id.orig_p":6188,"id.resp_h":"10.2.150.226","id.resp_p":54378,"name":"data_before_established","notice":false,"peer":"bro"}
>

Well, that's the weird.log, not the http.log.  The http.log will have http related entries.  If you're still not seeing what you expect there, it's probably because of

https://www.bro.org/documentation/faq.html#why-isn-t-bro-producing-the-logs-i-expect-a-note-about-checksums



------
Jeannette Dopheide
Sr. Education, Outreach, and Training Coordinator
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign


From: <bro-bounces at bro.org> on behalf of Mehmet EKICI <mekici at netas.com.tr>
Date: Monday, November 27, 2017 at 11:45 PM
To: "bro at bro.org" <bro at bro.org>
Subject: Re: [Bro] bro http message verbosity

Hi All,
Ping ?

From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Mehmet EKICI
Sent: Monday, November 27, 2017 3:24 PM
To: bro at bro.org
Subject: [Bro] bro http message verbosity

Hi All,
We are trying to use bro to monitor http messages on a wire. We are getting very coarse logs and wonder how can we increase verbosity to see all the parsed message details in the log.

Bro version is 2.4.1

Here are some example  messages we get;

{"ts":"2017-11-27T12:14:29.850476Z","uid":"CvtiHbXu0dt9pdFMa","id.orig_h":"10.2.150.237","id.orig_p":42798,"id.resp_h":"10.2.150.226","id.resp_p":9441,"name":"inappropriate_FIN","notice":false,"peer":"bro"}
{"ts":"2017-11-27T12:14:33.578491Z","uid":"CuGJzp3JYtJLxu3NN1","id.orig_h":"10.2.150.226","id.orig_p":54376,"id.resp_h":"10.2.150.228","id.resp_p":6188,"name":"active_connection_reuse","notice":false,"peer":"bro"}
{"ts":"2017-11-27T12:14:33.578491Z","uid":"COJykR3r39KwcvIPae","id.orig_h":"10.2.150.228","id.orig_p":6188,"id.resp_h":"10.2.150.226","id.resp_p":54376,"name":"data_before_established","notice":false,"peer":"bro"}
{"ts":"2017-11-27T12:14:41.454466Z","uid":"CuKy3C1TkabD0KvC26","id.orig_h":"10.2.150.227","id.orig_p":38672,"id.resp_h":"10.2.150.226","id.resp_p":8020,"name":"data_before_established","notice":false,"peer":"bro"}
{"ts":"2017-11-27T12:14:43.578437Z","uid":"CFLCdn2bwXadx8g0al","id.orig_h":"10.2.150.226","id.orig_p":54378,"id.resp_h":"10.2.150.228","id.resp_p":6188,"name":"active_connection_reuse","notice":false,"peer":"bro"}
{"ts":"2017-11-27T12:14:43.578437Z","uid":"CKZBqUlmUlkdtvMDd","id.orig_h":"10.2.150.228","id.orig_p":6188,"id.resp_h":"10.2.150.226","id.resp_p":54378,"name":"data_before_established","notice":false,"peer":"bro"}

Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171128/c62d46ff/attachment-0001.html

More information about the Bro mailing list