[Zeek] how can i config bro to let it only capture and analyze http packages?
Johanna Amann
johanna at corelight.com
Fri Oct 18 16:50:30 PDT 2019
Hi,
On 3 Oct 2019, at 19:02, lc z wrote:
> Does it have this function?I just want to only analyze http
> packages.And
> Does it can reduce capture loss rate via analyzing less packages?
> Thanks a
> lot.
It kind of depends on what you mean. There are basically two approaches
that can be used to limit yourself to only http.
First - you can use BPF filters to limit the traffic that Zeek sees. So
- you can e.g. get Zeek to only analyze port 80 traffic by
PacketFilter::default_capture_filter setting to (ip or not ip) and (tcp
port 80) or similar.
If you do this you will miss http traffic on ports different from 80
though.
The other alternative is to not load scripts that do non-http analysis.
You can e.g. do that by starting zeek in bare mode (passing -b on the
command line, or setting zeekargs/broargs to -b). You then have to set
your local.bro to load the protocol analyzers that you want manually -
in your case you would probably need
@load base/protocols/dpd
@load base/protocols/http
which should only give you http.log. All other traffic will still be
seen by Zeek, but no protocol analysis will run on it.
If you want conn.log, you also need
@load base/protocols/conn
Both of these approaches will speed Zeek up - the first one more than
the second one. However they both are no golden bullets - and you will
not get as much data as you did before.
I hope this helps,
Johanna
More information about the Zeek
mailing list