2

I am using security onion image 16.04.5.6. I am new to Bro and according to this in current folder I should be albe to find http.logs file. However I only see : 

loaded_scripts.log  reporter.log  stderr.log
packet_filter.log   stats.log     stdout.log

I have found in FAQ here and when I use Bro as a Command-Line Utility I provide -C parameter I am able to see the http.log

But when I use BroCtl the http.log is missing I have tried to change 

redef ignore_checksums = T;

but this option is missing in my local.bro file.

And the last FAQ solution seems to be working 

sudo ethtool --offload enp0s3 rx off tx off
Cannot get device udp-fragmentation-offload settings: Operation not supported
Cannot get device udp-fragmentation-offload settings: Operation not supported
Actual changes:
tx-checksumming: off
    tx-checksum-ip-generic: off
tcp-segmentation-offload: off
    tx-tcp-segmentation: off [requested on]

However in my current folder I cannot find http.log.

Any ideas what I can do now or whast am I missing?

David Hoelzer
  • 15,862
  • 4
  • 48
  • 67
roffensive
  • 564
  • 4
  • 22
  • 1
    Are you absolutely certain that HTTP traffic is passing the sensor? Bro will only create logs for traffic that it sees. – David Hoelzer May 10 '19 at 13:22
  • You're also not seeing other basic logs, such as conn.log. Check the existing logs (reporter.log, stderr.log, stdout.log) to see if they reveal any clues? – Christian May 10 '19 at 18:08
  • 1
    I have reinstalled the SO and I have realized that I have set a wrong network interface as a sniffing sensor. (HTTP traffic wasn't passing that sensor) – roffensive May 13 '19 at 16:43
  • Based on the comments from @roffensive, this should be closed. – David Hoelzer May 14 '19 at 13:18

0 Answers0