Next: , Previous: ftp Analyzer, Up: Analyzers and Events



7.17 The http Analyzer

The http analyzer processes traffic associated with the Hyper Text Transfer Protocol (HTTP) [RFC-1945], the main protocol used by the Web. Bro instantiates an http analyzer for any connection with service port 80/tcp, providing you have loaded the http analyzer, or defined a handler for http_request. It also instantiates an analyzer for service ports 8080/tcp and 8000/tcp, as these are often also used for Web servers.

The analyzer uses a capture filter of “tcp dst port 80 or tcp dst port 8080 or tcp dst port 8000” (See: Filtering). Note: This filter excludes traffic sent by an HTTP server (that would be matched by tcp src port 80, etc.), because Deficiency: Bro doesn't yet have an analyzer for HTTP replies. It generates summaries of HTTP sessions (connections between the same client and server) and looks for access to sensitive URIs (effectively, URLs).