Again, I’m adding the bro list for others edification.
HTTP.cc is part of “the core”. It parses connection streams passed to it, from the analyzer tree, and raises events defined in events.bif. Such events include those around http headers, http requests, http responses, etc. Then, the script “layer” is called based on those events. Such events have handler code in scripts that do things such as logging. I hope this helps.
-AK
init_bro is raised as Bro executes and HTTP events are rased as Bro sees HTTP connections. Usually the Bro binary needs to begin execution before it begins parsing network traffic. Here are some ideas for you to test:
Collect a pcap and attach to this thread. Best case scenario, you found a protocol parsing issue and the Bro devs can fix. Worst case scenario, your SO distribution need tweaking and you may need to ask another list for directions.
-AK
so you mean to say that generate_http_request is a definition of HTTP_request event?
void BifEvent::generate_http_request(analyzer::Analyzer* analyzer, Connection* c, StringVal* method, StringVal* original_URI, StringVal* unescaped_URI, StringVal* version)
{
// Note that it is intentional that here we do not
// check if ::http_request is NULL, which should happen before
// BifEvent::generate_http_request is called to avoid unnecessary Val
// allocation.
val_list* vl = new val_list;
vl->append(c->BuildConnVal());
vl->append(method);
vl->append(original_URI);
vl->append(unescaped_URI);
vl->append(version);
mgr.QueueEvent(::http_request, vl, SOURCE_LOCAL, analyzer->GetID(), timer_mgr, c);
}
if thats the case, why does it have mgr.QueueEvent, that gets me confused.
And the HTTP_request event is raised by:
void HTTP_Analyzer::HTTP_Request() { ProtocolConfirmation(); const char* method = (const char*) request_method->AsString()->Bytes(); int method_len = request_method->AsString()->Len(); if ( strncasecmp(method, “CONNECT”, method_len) == 0 ) connect_request = true; if ( http_request ) { val_list* vl = new val_list; vl->append(BuildConnVal()); Ref(request_method); vl->append(request_method); vl->append(TruncateURI(request_URI->AsStringVal())); vl->append(TruncateURI(unescaped_URI->AsStringVal())); vl->append(new StringVal(fmt("%.1f", request_version))); // DEBUG_MSG("%.6f http_request\n", network_time); ConnectionEvent(http_request, vl); } }
I have attached the responses inline to what asked to test:
Here are some ideas for you to test:
When i use bro -Ci eth0 (i.e. the binary ), then i can see all the http.log, weird.log,conn.log files getting dumped in my current working directory. They have the correct information. So I dont think this is the case. Still can’t get why Broctl wouldnt give me the logs
As mentioned traffic is going to bro, only then i am able to see those logs.
Doubt This.
Having said the above, what I did as means of a small experiment was to write a small code to open a file and print a line having function name in each of the event definitions in events.bif.cc and each of the events in HTTP.cc, just to get a trace of the function calls, but it just shows me bro_init as the printed message.
Again I am confused as to how its able to detect the HTTP packets without passing through either of these functions?
Thanks,
Yagyesh
Because you didn't tell broctl to use -C.