question about bro alarm log

Hi,

I've noticed that for HTTP_SensitiveURI, there are at least two different types of log entries:

t=1190249317.414519 no=HTTP_SensitiveURI na=NOTICE_ALARM_ALWAYS sa=60.50.247.122 sp=37248/tcp da=58.215.65.113 dp=8000/tcp method=GET url=/announce?peer_id=-KT2100-359018798262&port=6881&uploaded=0&downloaded=0&left=33554432&compact=1&numwant=100&key=1458894583&event=started&info_hash=\xd0\x9c;\xd8\xe6z/V\xe8\x89\x9c^K\xc3\xe0?pL\x1b\xaef num=302 msg=60.50.247.122/37248\ >\ 58.215.65.113/8000\ %12:\ GET\ /announce?peer_id=-KT2100-359018798262&port=6881&uploaded=0&downloaded=0&left=33554432&compact=1&numwant=100&key=1458894583&event=started&info_hash=\\xd0\\x9c;\\xd8\\xe6z/V\\xe8\\x89\\x9c^K\\xc3\\xe0?pL\\x1b\\xaef\ (302\ "Found"\ [0]\ btfans.3322.org:8000) tag=@274

and

t=1190253817.786857 no=HTTP_SensitiveURI na=NOTICE_ALARM_ALWAYS sa=211.25.195.202 sp=46862/tcp da=60.50.247.122 dp=81/tcp method=GET url=/mro/favicon.ico num=404 msg=211.25.195.202/46862\ >\ 60.50.247.88/81\ %13\ @290:\ GET\ /mro/favicon.ico\ (404\ "Not\ Found"\ [279]\ whatever.zapto.org:81) tag=@290

In the first line, inside msg:

60.50.247.122/37248\ >\ 58.215.65.113/8000\ %12:

while the second one:

211.25.195.202/46862\ >\ 60.50.247.88/81\ %13\ @290:

Why the difference?

--mel

On Thu, Oct 04, 2007 at 01:07:41AM +0800, mel composed:

Hi,

I've noticed that for HTTP_SensitiveURI, there are at least two
different types of log entries:

t=1190249317.414519 no=HTTP_SensitiveURI na=NOTICE_ALARM_ALWAYS
sa=60.50.247.122 sp=37248/tcp da=58.215.65.113 dp=8000/tcp method=GET
url=/announce?peer_id=-KT2100-359018798262&port=6881&uploaded=0&downloaded=0&left=33554432&compact=1&numwant=100&key=1458894583&event=started&info_hash=\xd0\x9c;\xd8\xe6z/V\xe8\x89\x9c^K\xc3\xe0?pL\x1b\xaef
num=302 msg=60.50.247.122/37248\ >\ 58.215.65.113/8000\ %12:\ GET\
/announce?peer_id=-KT2100-359018798262&port=6881&uploaded=0&downloaded=0&left=33554432&compact=1&numwant=100&key=1458894583&event=started&info_hash=\\xd0\\x9c;\\xd8\\xe6z/V\\xe8\\x89\\x9c^K\\xc3\\xe0?pL\\x1b\\xaef\
(302\ "Found"\ [0]\ btfans.3322.org:8000) tag=@274

and

t=1190253817.786857 no=HTTP_SensitiveURI na=NOTICE_ALARM_ALWAYS
sa=211.25.195.202 sp=46862/tcp da=60.50.247.122 dp=81/tcp method=GET
url=/mro/favicon.ico num=404 msg=211.25.195.202/46862\ >\
60.50.247.88/81\ %13\ @290:\ GET\ /mro/favicon.ico\ (404\ "Not\ Found"\
[279]\ whatever.zapto.org:81) tag=@290

In the first line, inside msg:

60.50.247.122/37248\ >\ 58.215.65.113/8000\ %12:

while the second one:

211.25.195.202/46862\ >\ 60.50.247.88/81\ %13\ @290:

Why the difference?

Beacuse NOTICE([HTTP_SensitiveURI]) occurs in three segments of the code:

http.bro, http-repquest, and http-reply, and it is used in

http.bro:
                                $msg=fmt("%s:%d -> %s:%d %s: <no reply>",
                                        session$orig_h, session$orig_p,
                                        session$resp_h, session$resp_p, id),

http-request.bro:

                                $msg=fmt("%s %s: %s %s",
                                        id_string(c$id), c$addl, method, URI),

http-reply.bro:
                        $msg = fmt("%s %s: %s",
                                id_string(c$id), c$addl, req_rep),