[Zeek] how can i config bro to let it only capture and analyze http packages?

Johanna Amann johanna at corelight.com
Fri Oct 18 16:50:30 PDT 2019


On 3 Oct 2019, at 19:02, lc z wrote:

> Does it have this function?I just want to only analyze http 
> packages.And
> Does it can reduce capture loss rate via analyzing less packages?  
> Thanks a
> lot.

It kind of depends on what you mean. There are basically two approaches 
that can be used to limit yourself to only http.

First - you can use BPF filters to limit the traffic that Zeek sees. So 
- you can e.g. get Zeek to only analyze port 80 traffic by 
PacketFilter::default_capture_filter setting to (ip or not ip) and (tcp 
port 80) or similar.

If you do this you will miss http traffic on ports different from 80 

The other alternative is to not load scripts that do non-http analysis. 
You can e.g. do that by starting zeek in bare mode (passing -b on the 
command line, or setting zeekargs/broargs to -b). You then have to set 
your local.bro to load the protocol analyzers that you want manually - 
in your case you would probably need

@load base/protocols/dpd
@load base/protocols/http

which should only give you http.log. All other traffic will still be 
seen by Zeek, but no protocol analysis will run on it.

If you want conn.log, you also need

@load base/protocols/conn

Both of these approaches will speed Zeek up - the first one more than 
the second one. However they both are no golden bullets - and you will 
not get as much data as you did before.

I hope this helps,

More information about the Zeek mailing list