http
Analyzer
The http
analyzer processes traffic associated with
the Hyper Text Transfer Protocol (HTTP) [RFC-1945],
the main protocol used by the Web. Bro instantiates an
http
analyzer for any connection with service port 80/tcp
,
providing you have loaded the http
analyzer, or defined a handler
for http_request
. It also instantiates an analyzer for
service ports 8080/tcp
and 8000/tcp
, as these are
often also used for Web servers.
The analyzer uses a capture filter of “tcp dst port 80 or tcp dst port 8080 or tcp dst port 8000
” (See: Filtering). Note: This filter excludes
traffic sent by an HTTP server (that would be matched by tcp src port 80
,
etc.), because Deficiency: Bro doesn't yet have an analyzer for HTTP replies. It generates summaries of HTTP sessions (connections between the same client and server) and looks for access to sensitive URIs (effectively, URLs).