Newbie question here: I installed Bro on a fresh Ubuntu. I run bro and create http requests from that Ubuntu. bro logs the responses I get, but I don't see any logs of the OUTGOING requests. When I send http requests TO the apache server, installed on that Ubunu, I do see the requests arriving log. I am monitoring the correct NIC. Wireshark does see the outgoing traffic. What do I need to do to get logs for
Bro 2.4.1 (downloaded tar.gz from bro.org) Ubuntu 14.04 Using a proxy.
Thanks
It's likely that your network card supports checksum offloading causing Bro to see packets before a valid checksum is made available on the out path by the network card. If Bro sees an invalid checksum it will ignore the packet. The correct checksum will be generated and inserted into the frame at a point after Bro sees it which is too late for your purposes.
There's at least three ways for Bro to not ignore the packets:
-C flag to bro to ignore checksum validationredef ignore_checksums = T; in $PREFIX/share/bro/site/local.bro to also ignore checksum validation. Replacing $PREFIX with the bro installation directory, often /usr/local/bro.ethtool --offload <int> rx off tx off so the correct checksums are generated to begin with. Replacing <int> with the name of your interface.More information at https://www.bro.org/documentation/faq.html#why-isn-t-bro-producing-the-logs-i-expect-a-note-about-checksums
