On the Bro wiki it mentions that Bro can be configured to output captured packets that look suspicious. The documentation regarding trace files seems to stop there. I know there is a -w flag, but that seems to be more related to using bro with the -i option, not for getting suspicious traffic. What do I need to do to configure Bro to output a trace file?
That would be one additional capability that I would compliment separating out my TG traffic and other traffic mentioned in the 'Question about Bro Capabilities' thread.
Which text are you refering to exactly? Apart form -w, the only
other thing I can think of is the built-in dump_current_packet()
whichs save the currently processed packet to disk---with the
typical problem that this is not very well defined.
When running bro (1.3.2), I get several 'unmatched_HTTP_reply' statements, and looking at the output in http.log I get several '<unknown request>'. I then printed out the conn_id for these requests, then did a random sampling of those within the pcap. All of the sessions looked ok, as in no different then the successfully matched request/reply flows. What might cause these unmatched replies?
When running bro (1.3.2), I get several 'unmatched_HTTP_reply'
statements, and looking at the output in http.log I get several
'<unknown request>'. I then printed out the conn_id for these
requests, then did a random sampling of those within the pcap. All
of the sessions looked ok, as in no different then the successfully
matched request/reply flows. What might cause these unmatched replies?
