Question about HTTP policy capture filters

Vern · June 24, 2005, 5:14am

I am trying to get bro (9a8) to capture http events that are not coming
over port 80/tcp as well as several other ports.

The only way to do this currently is to modify Sessions.cc to add the other
ports of interest (search on "80" to see where the additions are needed).
You'll also need to change the capture filter in http-request.bro (or make
your own version that adds the port to capture_filters - that's cleaner).

http-request.bro:
"not tcp dst port 80 and not tcp dst port 8080"

However, bro seems to be only reading one filter and not the second part
of filter.

This is strange - Sessions.cc already treats 8080 (and 8000 and 3128) the
same as 80. Can you provide a trace that exhibits the problem?

Vern

Aashish_Sharma · June 24, 2005, 6:43am

Redefining capture_filters for (alternate) http in the site policy file should solve the problem.
I think there is http-request as well as http-reply settings to be done (like in case of squid cache proxy via port 3128)

redef capture_filters += {
["http-request"] = "tcp dst port 3128",
};

redef capture_filters += {
["http-reply"] = "tcp src port 3128",
};

Aashish

Topic		Replies	Views
Question about HTTP policy capture filters Zeek	1	62	May 6, 2022
Traffic analysis by Bro Zeek	8	47	May 6, 2022
Bro 0.8 and vlans Zeek	1	66	May 6, 2022
can't get the http analyzer to print anything Zeek	3	61	May 6, 2022
problem of multi-interface monitor? Zeek	2	60	May 6, 2022

Question about HTTP policy capture filters

Related Topics