What goes into http_log?

Chris_Doman · August 7, 2013, 10:16am

Hi all,

Does anyone know if http_log records everything from port 80, or anything detected as the HTTP protocol etc?

I’m asking as I would like to detect software that communicates over port 80 or 8080 but that isn’t infact using HTTP (some beaconing malware for example communicates over port 80).

And similarly it would be very useful to be able to detect non SSL over port 443. I’m thinking that checking for ssl.log where cipher="-" might be a good idea, if ssl.log records everything over port 443.

Apologies if this has been answered before, I couldn’t find the answer from a quick google and code check.

Thanks,
Chris

Swan_Jay · August 7, 2013, 5:24pm

It records everything detected as HTTP. Here’s a sample showing a bunch of ports detected as HTTP:

me@so1204:/nsm/bro/logs/current$ bro-cut id.resp_p < http_eth1.log | sort -u

2350

3690

4004

80

8014

8080

8888

9090

For the second part I think the right way would be to search conn.log for tcp/443, then “grep –v ssl” on the results. But I’m not sure.

Topic		Replies	Views
"Faking" connections and http records Zeek	4	79	May 6, 2022
URL logs Zeek	5	80	May 6, 2022
Blank HTTP logs Zeek	3	152	May 6, 2022
http.log event Zeek	2	92	May 6, 2022
Why am I seeing SSL "files" in my files.log? Zeek	2	111	May 6, 2022

What goes into http_log?

Related topics