[Bro] Discovering known_hosts outside the network segment we are analyzing

Luis Miguel Silva luismiguelferreirasilva at gmail.com
Wed Jan 28 12:57:33 PST 2015

Dear all,

As I started playing around with bro, I noticed the ability to identify
known_hosts in the network.

My problem is that I need to identify hosts that are NOT part of my
root at local-bro:~# cat /usr/local/bro/etc/networks.cfg
# List of local networks in CIDR notation, optionally followed by a
# descriptive tag.
# For example, "" or "fe80::/64" are valid prefixes.          Private IP space
root at local-bro:~#

The default networks.cfg had multiple networks but, what I want to do is
detect what "invalid" traffic is flowing in the network (e.g. machines
in a *
<>* segment, sending out packets in my *
<>* network).

Here's my use case:
- I install a routing / sniffing appliance between the router and the
existing local network (* <>*) so I can
sniff the traffic with bro
- My appliance changes the network segment for the internal network to
something else (e.g. * <>*) and starts
serving addresses in that range using dhcp
-- all dynamically configured devices setup with the new address
-- but then I discover that there were some devices in the previous network
that had static ip addresses in the * <>*
range, so they stop working

What I would LIKE to do is have bro detect the "orphaned" *
<>* nodes in the known_hosts, even though my network
is now * <>*.

I could do this by externally sniffing for arp requests but I would really
like to do it through bro...

Is the solution to specify all internal reserved ranges in networks.cfg?

* <> <>...*

Is this good practice? And is there a better approach to achieve what I

Thank you,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150128/5210cb4b/attachment.html 

More information about the Bro mailing list