[Bro] Capturing DHCP events
vladg at cmu.edu
Wed Mar 20 14:14:48 PDT 2013
I have an experimental git branch with DHCP support here: <https://github.com/grigorescu/bro/tree/remotes/origin/topic/vladg/dhcp>.
In order to use it, you'll need to do the following:
> git clone --recursive git://git.bro.org/bro
> cd bro
> git remote add dhcp_github https://github.com/grigorescu/bro.git
> git pull -s recursive -X theirs dhcp_github remotes/origin/topic/vladg/dhcp
Build Bro with the usual ./configure, make, make install
To enable the DHCP script, add this to local.bro:
> @load base/protocols/dhcp
You should then see a dhcp.log. Here's an example from mine:
> #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p mac assigned_ip lease_time trans_id
> #types time string addr port addr port string addr interval count
> 1363813938.019865 4qCaj285Yr1 128.237.242.XX 68 128.237.224.X 67 58:bd:a3:ff:ee:dd 128.237.242.WWW 240.000000 3420159137
> 1363813938.020145 XLPtua3OiKg 128.237.237.YY 68 128.237.224.Y 67 90:27:e4:99:aa:cc 128.237.237.ZZ 240.000000 3009200041
Please let me know if you run into any problems with the script. I've been running it in production for about a month, and it works well for me.
On Mar 20, 2013, at 3:55 PM, lyeph lyeph <lyeph at outlook.com>
> I'm looking into capturing DHCP events with Bro. I am hoping I am just overlooking a bro script that already handles the collection of DHCP events. The only one I have been able to find so far is at http://svn.icir.org/bro/trunk/bro/policy/dhcp.bro, but it does not appear to work with Bro 2.1. Can anyone point me in a better direction?
> Bro mailing list
> bro at bro-ids.org
More information about the Bro