[Bro] Discovering known_hosts outside the network segment we are analyzing

Luis Miguel Silva luismiguelferreirasilva at gmail.com
Wed Jan 28 12:57:33 PST 2015


Dear all,

As I started playing around with bro, I noticed the ability to identify
known_hosts in the network.

My problem is that I need to identify hosts that are NOT part of my
networks.cfg:
root at local-bro:~# cat /usr/local/bro/etc/networks.cfg
# List of local networks in CIDR notation, optionally followed by a
# descriptive tag.
# For example, "10.0.0.0/8" or "fe80::/64" are valid prefixes.

192.168.1.0/24          Private IP space
root at local-bro:~#

The default networks.cfg had multiple networks but, what I want to do is
detect what "invalid" traffic is flowing in the network (e.g. machines
in a *192.168.0.0/24
<http://192.168.0.0/24>* segment, sending out packets in my *192.168.1.0/24
<http://192.168.1.0/24>* network).

Here's my use case:
- I install a routing / sniffing appliance between the router and the
existing local network (*192.168.0.0/24 <http://192.168.0.0/24>*) so I can
sniff the traffic with bro
- My appliance changes the network segment for the internal network to
something else (e.g. *192.168.1.0/24 <http://192.168.1.0/24>*) and starts
serving addresses in that range using dhcp
-- all dynamically configured devices setup with the new address
-- but then I discover that there were some devices in the previous network
that had static ip addresses in the *192.168.0.0/24 <http://192.168.0.0/24>*
range, so they stop working

What I would LIKE to do is have bro detect the "orphaned" *192.168.0.0/24
<http://192.168.0.0/24>* nodes in the known_hosts, even though my network
is now *192.168.1.0/24 <http://192.168.1.0/24>*.

I could do this by externally sniffing for arp requests but I would really
like to do it through bro...

Is the solution to specify all internal reserved ranges in networks.cfg?


*192.168.0.0/16 <http://192.168.0.0/16>10.0.0.0/8 <http://10.0.0.0/8>...*

Is this good practice? And is there a better approach to achieve what I
need?

Thank you,
Luis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150128/5210cb4b/attachment.html 


More information about the Bro mailing list