search

radiumfu / enterprise-log-search-and-archive

Automatically exported from code.google.com/p/enterprise-log-search-and-archive
0 stars 0 forks source link

BRO_HTTP Parsing Issue ("status_code" and "content_length") #91

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
The "status_code" and "content_length" fields are not parsing correctly from 
the bro_http logs.

What steps will reproduce the problem?
1. Forward Bro logs to ELSA
2. Query class=BRO_HTTP

What is the expected output? What do you see instead?
I am seeing the status code in the content length field and the request body 
length in the status code field.

What version of the product are you using? On what operating system?
Running on Ubuntu 12.04.

Please provide any additional information below.
I updated the patterndb.xml for bro_http to resolve the issue on my system:

<pattern>@ESTRING::|@@ESTRING::|@@ESTRING:i0:|@@ESTRING:i1:|@@ESTRING:i2:|@@ESTR
ING:i3:|@@NUMBER::@|@ESTRING:s0:|@@ESTRING:s1:|@@ESTRING:s2:|@@ESTRING:s3:|@@EST
RING:s4:|@@ESTRING::|@@ESTRING:i5:|@@ESTRING:i4:|@</pattern>

Original issue reported on code.google.com by j...@exultium.com on 20 Jan 2013 at 5:16

GoogleCodeExporter commented 8 years ago 
Thanks for the report!  Should be fixed as of revision 610.

Original comment by mchol...@gmail.com on 20 Jan 2013 at 9:59

GoogleCodeExporter commented 8 years ago 
Hi Martin,

Great, thanks for the quick response!

Josh

On Sun, Jan 20, 2013 at 4:59 PM, <
enterprise-log-search-and-archive@googlecode.com> wrote:

Original comment by j...@exultium.com on 20 Jan 2013 at 10:04