- http$host diff between bro and broctl

william_de_ping · June 21, 2017, 4:29pm

Hi all,

Scenario 1 : bro instance on my local interface + browsing to www.bbc.com
Scenario 2 : bro cluster with a single Worker on my local interface + browsing to www.cnn.com

in http.log,
on the 1st scenario, the host field is initialized with www.bbc.com
on the 2nd scenario, the host field is NOT initialized

I’m running bro 2.5

Is there any explanation for the diff ?

thank you

B

Azoff_Justin_S · June 21, 2017, 9:17pm

You're probably starting bro differently in the two cases.

https://www.bro.org/documentation/faq.html#why-isn-t-bro-producing-the-logs-i-expect-a-note-about-checksums

william_de_ping · June 22, 2017, 1:46pm

Thank you ! it turns out to be checksum

B

Topic		Replies	Views
Bro Not Extracting Host Fields from HTTP Traffic Zeek	4	65	May 6, 2022
unmatched_HTTP_reply in weird.log Zeek	2	84	May 6, 2022
Identifying interface when running with multiple interfaces Zeek	3	61	May 6, 2022
Bro restrict filters question Zeek	4	87	May 6, 2022
Bro Digest, Vol 28, Issue 2 Zeek	4	69	May 6, 2022

- http$host diff between bro and broctl

Related Topics