[Zeek] Sometimes HTTP.log fails to generate from PCAP file
Charles A Fair
charles.fair at mac.com
Sat Aug 10 09:07:30 PDT 2019
Try this on your pcap file to see all analyzed events:
Bro Dump Events policy script:
bro -C -r file.pcap policy/misc/dump-events.bro
I would also expect if your trace is a partial capture that Bro will create a weird log entry with a description of what’s going on.
Charles “Chuck” A. Fair
chuck.fair at perched.io
Chuck
> On Aug 8, 2019, at 2:42 PM, Jonah Burgess <jburgess03 at qub.ac.uk> wrote:
>
> Hi Everyone,
>
> This is my first time using this mailing list so I apologise in advance if I’ve followed the wrong format/protocol etc.
>
> I am doing some malware research and making use of the HTTP.log generated by Bro. I’ve noticed some PCAPs fail to generate a HTTP log. I’ve looked at a couple of examples and thought maybe it is because there is no SYN-ACK before the HTTP connection in the PCAP (the researcher who generated the PCAP may have cut this out or not captured it).
>
> Can anybody confirm why the HTTP.log fails to generate (is it the missing SYN-ACK at the start?) and advise if there is some way I can still extract the HTTP traffic from the PCAP using Bro (since it’s clearly all visible in Wireshark).
>
> Note: I’m unable to attach screenshots of any of the problematic PCAPs due to email size..
>
> Thanks in advance,
> Jonah (@_CryptoCat)
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190810/03ee49d3/attachment.html
More information about the Zeek
mailing list