I am using zeek in a container with hosts network. My bro/zeek version is following. Bold text are the commands that get executed in the container.
docker run --cap-add=NET_RAW --net=host --rm blacktop/zeek --version
bro version 2.6-255
I ran zeek with detect-webapps bro script from policy. I browsed a couple of phpadmin websites etc but I could not get any logs specific to detect-webapps.
docker run --cap-add=NET_RAW --net=host --rm blacktop/zeek -i ‘enp2s0’ protocols/http/detect-webapps
listening on enp2s0
I don’t see a http.log. That implies that you may not have seen any HTTP traffic. Can you share a pcap of what you are watching?
Hi, sorry, there is http.log too. It got generated when browsed some of the data.
I am watching the interface with -i.
*browsed some http websites and then http.log appears. what exactly the detect web apps log look like or it is just a part of http.log?? i really don’t know.