problems using Bro (http)

_rmkml · June 15, 2004, 2:55pm

Hi,

I have a little question,

I start bro :

$ export BROPATH=/usr/src/bro/bro-pub-0.9a2/policy;
$ /usr/src/bro/bro-pub-0.9a2/bro -i eth0 bro.init mt http

ok bro not write on stdout !

when bro run,
files log.log/http.log/ftp.log/alert.log/weird.log
is zero

but if I stop bro,
only weird.log fill :
1087310691.743467 2.10.12.2/33282 > 128.193.0.3/http: spontaneous_FIN

and bro write on stdout :
1087310691.743467 0.172724 2.10.12.2 128.193.0.3 http 33282 80 tcp 0 ? RSTR X

possible help me please
why bro not fill http.log ?
and why bro write weird.log only after stop bro ?

I use bro 0.9a2 on linux 2.4.26.
same on fbsd49.
(no compile option: ./configure && make [openssl disable auto by configure])

Regards

robin · June 15, 2004, 3:24pm

$ /usr/src/bro/bro-pub-0.9a2/bro -i eth0 bro.init mt http

You should use "http-request" (and perhaps "http-reply") instead of
http.

and why bro write weird.log only after stop bro ?

Most of the log files are buffered, i.e. output is written in larger
chunks (and at termination).

Robin

_rmkml · June 15, 2004, 3:33pm

thanks for your help Robin

Topic		Replies	Views
logging in bro Zeek	1	138	May 6, 2022
logging in bro Zeek	1	84	May 6, 2022
weird: spontaneous_FIN problem for HTTP log Zeek	2	114	May 6, 2022
http.log stops logging Zeek	4	98	May 6, 2022
unmatched_HTTP_reply in weird.log Zeek	2	107	May 6, 2022