I am trying to get bro (9a8) to capture http events that are not coming
over port 80/tcp as well as several other ports.
The only way to do this currently is to modify Sessions.cc to add the other
ports of interest (search on "80" to see where the additions are needed).
You'll also need to change the capture filter in http-request.bro (or make
your own version that adds the port to capture_filters - that's cleaner).
http-request.bro:
"not tcp dst port 80 and not tcp dst port 8080"However, bro seems to be only reading one filter and not the second part
of filter.
This is strange - Sessions.cc already treats 8080 (and 8000 and 3128) the
same as 80. Can you provide a trace that exhibits the problem?
Vern