[Bro] Something is not clear to me concerning reporting

Ian Dickens ian at south-border.com
Wed Oct 17 14:41:13 PDT 2012

So, lets say that I have tcp ports 587 and 993 exposed on my firewall.  I have bro running as a cluster on all interfaces.  I see logs about well known SSL/HTTP/HTTPS ports but no anomalies in the hourly summaries.  No alerts in email either (that I have seen).  Now I do need to cruise through all the rotated compressed logs to check and see if something was recorded. 

The second thing I am wondering about is that there are no references to interfaces where the traffic was seen.  For example, I have no IPv6 but I see unknown IPv6 traffic in the summary.  Tools like:


can be used to attempt to glean the MAC address to some degree.  But I cannot quickly tell which interface the packet came on to help decide where the threat lies between internal/dmz/external networks.  I can make some really good guesses but it might be nice to spell it it in the logs.  

Many thanks in advance,  Sorry for rambling and if these are features in the works…


More information about the Bro mailing list