http analyzer

Zeek
1

Hi.

I am trying to run bro with http.bro policy file against a pcap file. I get an empty http.log file. However, conn.log contains plenty of http records. All I am trying to get is a summary of http transactions (as summerized in the “http analyzer” section of the manual). Am I using the wrong policy file?
The conn.log content is as follows, Thank you:

1248823461.379857 0.000522 134.9.214.98 198.128.246.10 https 59371 443 tcp 0 0 SF X
1248823461.380007 0.001128 134.9.214.98 74.125.19.103 http 59373 80 tcp 0 0 SF X
1248823461.380081 0.001055 134.9.214.98 74.125.19.103 http 59374 80 tcp 0 0 SF X
1248823461.380165 0.001008 134.9.214.98 74.125.19.139 http 59375 80 tcp 0 0 SF X
1248823470.597261 18.050017 134.9.214.98 198.128.246.160 https 59380 443 tcp 1075 39610 SF X
1248823470.597119 18.050392 134.9.214.98 198.128.246.160 https 59379 443 tcp 1075 36721 SF X
1248823457.013757 68.607945 134.9.214.30 255.255.255.255 ntp 1230 123 udp 240 ? S0 X [5/0]
1248823458.148163 68.386845 134.9.216.231 255.255.255.255 ntp 1230 123 udp 240 ? S0 X [5/0]
1248823469.374292 51.287737 134.9.214.232 255.255.255.255 ntp 1230 123 udp 192 ? S0 X [4/0]
1248823465.334545 ? 134.9.214.98 198.128.246.160 http 59377 80 tcp ? ? S1 X
1248823521.726360 ? 134.9.214.98 208.117.252.89 http 59395 80 tcp ? ? S1 X
1248823492.193498 15.026019 134.9.214.98 198.128.249.4 http 59383 80 tcp 1085 61616 S3 X
1248823492.193864 15.025624 134.9.214.98 198.128.249.4 http 59384 80 tcp 1034 8008 S3 X
1248823501.794443 ? 134.9.214.98 74.125.19.100 http 59387 80 tcp ? ? S1 X
1248823498.532173 ? 134.9.214.98 74.125.19.103 http 59385 80 tcp ? ? S1 X
1248823504.582292 ? 134.9.214.98 216.34.181.60 http 59392 80 tcp ? ? S1 X
1248823498.617937 ? 134.9.214.98 74.125.19.139 http 59386 80 tcp ? ? S1 X
1248823504.575446 ? 134.9.214.98 209.87.252.214 http 59391 80 tcp ? ? S1 X
1248823504.574710 ? 134.9.214.98 209.87.252.214 http 59389 80 tcp ? ? S1 X
1248823504.575088 ? 134.9.214.98 209.87.252.214 http 59390 80 tcp ? ? S1 X
1248823528.360665 0.000069 134.9.214.98 128.115.3.5 other 59368 3268 tcp 0 0 SF X
1248823492.186376 15.032956 134.9.214.98 198.128.249.4 http 59382 80 tcp 1398 19752 S3 X
1248823504.390518 ? 134.9.214.98 209.87.252.214 http 59388 80 tcp ? ? S1 X
1248823512.268070 ? 134.9.214.98 138.23.169.15 http 59393 80 tcp ? ? S1 X
1248823521.660641 ? 134.9.214.98 74.125.19.138 http 59394 80 tcp ? ? S1 X
1248823465.442010 ? 134.9.214.98 198.128.246.160 https 59378 443 tcp ? ? S1 X
1248823491.675365 15.613805 134.9.214.98 198.128.249.4 http 59381 80 tcp 2093 19369 S3 X

2

You need http-request and http-reply (and potentially some more of
the other http-*). The HTTP analysis is split across a set of
scripts and while http.bro implements parts of that, it itself does
not activate the analysis.

Robin