[Bro] Bro behind a TLS reverse proxy
Azoff, Justin S
jazoff at illinois.edu
Wed Apr 4 15:01:37 PDT 2018
> On Apr 2, 2018, at 12:04 AM, Brandon Sterne <brandon.sterne at gmail.com> wrote:
>
> Hello,
>
> I am attempting to get Bro working sitting behind a reverse proxy (nginx), which is receiving connections, terminating TLS, and forwarding cleartext HTTP to a local app server (Tomcat). I have a really simple test case that demonstrates the problem I'm running into, which is that Bro HTTP events are only detected when requests are sent plaintext (without TLS). Here is the test case I'm using:
The output you have included is not enough to tell what is wrong. Minimally, full conn.log entries are required to figure out what bro is seeing. Even better would be a full pcap of the traffic that bro is not properly decoding.
To just guess, i'd say your problem is that the MTU on lo is 65536 and bro is not configured by default to handle that. Throwing a
redef Pcap::snaplen = 65536
in your script may get things working.
—
Justin Azoff
More information about the Bro
mailing list