bro http message verbosity

Hi All,

We are trying to use bro to monitor http messages on a wire. We are getting very coarse logs and wonder how can we increase verbosity to see all the parsed message details in the log.

Bro version is 2.4.1

Here are some example messages we get;

{“ts”:“2017-11-27T12:14:29.850476Z”,“uid”:“CvtiHbXu0dt9pdFMa”,“id.orig_h”:“10.2.150.237”,“id.orig_p”:42798,“id.resp_h”:“10.2.150.226”,“id.resp_p”:9441,“name”:“inappropriate_FIN”,“notice”:false,“peer”:“bro”}

{“ts”:“2017-11-27T12:14:33.578491Z”,“uid”:“CuGJzp3JYtJLxu3NN1”,“id.orig_h”:“10.2.150.226”,“id.orig_p”:54376,“id.resp_h”:“10.2.150.228”,“id.resp_p”:6188,“name”:“active_connection_reuse”,“notice”:false,“peer”:“bro”}

{“ts”:“2017-11-27T12:14:33.578491Z”,“uid”:“COJykR3r39KwcvIPae”,“id.orig_h”:“10.2.150.228”,“id.orig_p”:6188,“id.resp_h”:“10.2.150.226”,“id.resp_p”:54376,“name”:“data_before_established”,“notice”:false,“peer”:“bro”}

{“ts”:“2017-11-27T12:14:41.454466Z”,“uid”:“CuKy3C1TkabD0KvC26”,“id.orig_h”:“10.2.150.227”,“id.orig_p”:38672,“id.resp_h”:“10.2.150.226”,“id.resp_p”:8020,“name”:“data_before_established”,“notice”:false,“peer”:“bro”}

{“ts”:“2017-11-27T12:14:43.578437Z”,“uid”:“CFLCdn2bwXadx8g0al”,“id.orig_h”:“10.2.150.226”,“id.orig_p”:54378,“id.resp_h”:“10.2.150.228”,“id.resp_p”:6188,“name”:“active_connection_reuse”,“notice”:false,“peer”:“bro”}

{“ts”:“2017-11-27T12:14:43.578437Z”,“uid”:“CKZBqUlmUlkdtvMDd”,“id.orig_h”:“10.2.150.228”,“id.orig_p”:6188,“id.resp_h”:“10.2.150.226”,“id.resp_p”:54378,“name”:“data_before_established”,“notice”:false,“peer”:“bro”}

Regards,

Hi All,
We are trying to use bro to monitor http messages on a wire. We are getting very coarse logs and wonder how can we increase verbosity to see all the parsed message details in the log.

Bro version is 2.4.1

2.4.1 is over 2 years old at this point, You should be on 2.5.x, or minimally, 2.4.2

Here are some example messages we get;

{"ts":"2017-11-27T12:14:29.850476Z","uid":"CvtiHbXu0dt9pdFMa","id.orig_h":"10.2.150.237","id.orig_p":42798,"id.resp_h":"10.2.150.226","id.resp_p":9441,"name":"inappropriate_FIN","notice":false,"peer":"bro"}
{"ts":"2017-11-27T12:14:33.578491Z","uid":"CuGJzp3JYtJLxu3NN1","id.orig_h":"10.2.150.226","id.orig_p":54376,"id.resp_h":"10.2.150.228","id.resp_p":6188,"name":"active_connection_reuse","notice":false,"peer":"bro"}
{"ts":"2017-11-27T12:14:33.578491Z","uid":"COJykR3r39KwcvIPae","id.orig_h":"10.2.150.228","id.orig_p":6188,"id.resp_h":"10.2.150.226","id.resp_p":54376,"name":"data_before_established","notice":false,"peer":"bro"}
{"ts":"2017-11-27T12:14:41.454466Z","uid":"CuKy3C1TkabD0KvC26","id.orig_h":"10.2.150.227","id.orig_p":38672,"id.resp_h":"10.2.150.226","id.resp_p":8020,"name":"data_before_established","notice":false,"peer":"bro"}
{"ts":"2017-11-27T12:14:43.578437Z","uid":"CFLCdn2bwXadx8g0al","id.orig_h":"10.2.150.226","id.orig_p":54378,"id.resp_h":"10.2.150.228","id.resp_p":6188,"name":"active_connection_reuse","notice":false,"peer":"bro"}
{"ts":"2017-11-27T12:14:43.578437Z","uid":"CKZBqUlmUlkdtvMDd","id.orig_h":"10.2.150.228","id.orig_p":6188,"id.resp_h":"10.2.150.226","id.resp_p":54378,"name":"data_before_established","notice":false,"peer":"bro"}

Well, that's the weird.log, not the http.log. The http.log will have http related entries. If you're still not seeing what you expect there, it's probably because of

https://www.bro.org/documentation/faq.html#why-isn-t-bro-producing-the-logs-i-expect-a-note-about-checksums

Hi All,

Ping ?