Question about HTTP policy capture filters

I am trying to get bro (9a8) to capture http events that are not coming
over port 80/tcp as well as several other ports.

The only way to do this currently is to modify to add the other
ports of interest (search on "80" to see where the additions are needed).
You'll also need to change the capture filter in http-request.bro (or make
your own version that adds the port to capture_filters - that's cleaner).

"not tcp dst port 80 and not tcp dst port 8080"

However, bro seems to be only reading one filter and not the second part
of filter.

This is strange - already treats 8080 (and 8000 and 3128) the
same as 80. Can you provide a trace that exhibits the problem?


Redefining capture_filters for (alternate) http in the site policy file should solve the problem.
I think there is http-request as well as http-reply settings to be done (like in case of squid cache proxy via port 3128)

redef capture_filters += {
        ["http-request"] = "tcp dst port 3128",

redef capture_filters += {
        ["http-reply"] = "tcp src port 3128",