Hi all,

Does anyone know if http_log records everything from port 80, or anything detected as the HTTP protocol etc?

I’m asking as I would like to detect software that communicates over port 80 or 8080 but that isn’t infact using HTTP (some beaconing malware for example communicates over port 80).

And similarly it would be very useful to be able to detect non SSL over port 443. I’m thinking that checking for ssl.log where cipher="-" might be a good idea, if ssl.log records everything over port 443.

Apologies if this has been answered before, I couldn’t find the answer from a quick google and code check.

Thanks,
Chris

It records everything detected as HTTP. Here’s a sample showing a bunch of ports detected as HTTP:

me@so1204:/nsm/bro/logs/current$ bro-cut id.resp_p < http_eth1.log | sort -u

2350

3690

4004

80

8014

8080

8888

9090

For the second part I think the right way would be to search conn.log for tcp/443, then “grep –v ssl” on the results. But I’m not sure.