[Bro] Missing or "localhost" host field in bro http logs
Azoff, Justin S
jazoff at illinois.edu
Thu Jul 26 11:37:05 PDT 2018
> On Jul 25, 2018, at 12:04 PM, Federico Foschini <undicizeri at gmail.com> wrote:
>
> Hello,
> I notice that sometimes the field host in a bro-http log is missing or contains localhost as a value.
> How is that possible?
>
> This is an example of a log witth localhost as host:
>
> http.11:00:00-12:00:00.bak.gz:{"ts":"2018-07-25T11:39:09.440378Z","uid":"CZDkyn2xwPRU17Qm9g","id_orig_h":"198.134.154.227","id_orig_p":49558,"id_resp_h":"192.168.237.29","id_resp_p":8081,"trans_depth":3,"method":"GET","host":"localhost","uri":"/ospos/index.php/login","version":"1.1","user_agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0","request_body_len":0,"response_body_len":0,"status_code":500,"status_msg":"Internal Server Error","tags":[]}
There is no default value in bro, so if the log says localhost, it means the request was for localhost.
> In this one the host is missing:
>
> http.12:00:00-13:00:00.bak.gz:{"ts":"2018-07-25T12:09:31.955600Z","uid":"CERXcsevwbBQrqWDf","id_orig_h":"192.168.235.47","id_orig_p":57326,"id_resp_h":"192.168.50.201","id_resp_p":80,"trans_depth":2,"request_body_len":0,"response_body_len":0,"tags":[]}
>
> Is that a normal behavior?
request_body_len and response_body_len are both 0, so it looks like the client did something weird here.
—
Justin Azoff
More information about the Bro
mailing list