Hi all,
I am new to Bro. I am trying to analyse the traffic trace in offline mode and detecting the outgoing http packets on non standard ports (POST request in TCP[PSH, ACK] packet).
I am using the following command line option:
sudo /usr/local/bro/bin/bro -f tcp -r mytrace.pcap /usr/local/bro/share/bro/base/frameworks/dpd/main.bro
There is no dpd log file generated by bro.
What I am missing here?.
Do you have a conn.log or http.log? conn.log will indicate which analyzer(s) successfully analyzed a connection and http.log will show the information from the log. dpd.log is mostly used for debugging when and why DPD failed. No failure, no log (failure includes the client or server not abiding the protocol).
You also don't need to include "-f tcp" in your filter. Bro has a wide open filter which lets everything in by default now. You also don't need to load that script. You could condense your entire command line to "bro -r mytrace.pcap"
.Seth
Thanks for the quick reply. One more question. How to detect/extract HTTP request in TCP payload (where TCP connection is established on the non-standard port).
We've been having some trouble with content extraction, but if you want to try it…
bro -r mytrace.pcap "HTTP::extract_file_types=/.*/"
This mechanism is being heavily reworked for 2.1 right now too so that all file handling will be done through the new file analysis framework. More information and docs will come with the 2.1 release.
.Seth