[Bro] Discovering known_hosts outside the network segment we are analyzing

Donaldson, John donaldson8 at llnl.gov
Wed Jan 28 14:07:10 PST 2015

Are you thinking of something along the lines of:

redef Known::host_tracking = ALL_HOSTS;

(see https://www.bro.org/sphinx/scripts/policy/protocols/conn/known-hosts.bro.html)

This should record ALL observed hosts in the known_hosts file.

v/r John

From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Luis Miguel Silva
Sent: Wednesday, January 28, 2015 12:58 PM
To: bro
Subject: [Bro] Discovering known_hosts outside the network segment we are analyzing

Dear all,
As I started playing around with bro, I noticed the ability to identify known_hosts in the network.
My problem is that I need to identify hosts that are NOT part of my networks.cfg:
root at local-bro:~# cat /usr/local/bro/etc/networks.cfg
# List of local networks in CIDR notation, optionally followed by a
# descriptive tag.
# For example, "<>" or "fe80::/64" are valid prefixes.<>          Private IP space
root at local-bro:~#
The default networks.cfg had multiple networks but, what I want to do is detect what "invalid" traffic is flowing in the network (e.g. machines in a<> segment, sending out packets in my<> network).
Here's my use case:
- I install a routing / sniffing appliance between the router and the existing local network (<>) so I can sniff the traffic with bro
- My appliance changes the network segment for the internal network to something else (e.g.<>) and starts serving addresses in that range using dhcp
-- all dynamically configured devices setup with the new address
-- but then I discover that there were some devices in the previous network that had static ip addresses in the<> range, so they stop working
What I would LIKE to do is have bro detect the "orphaned"<> nodes in the known_hosts, even though my network is now<>.
I could do this by externally sniffing for arp requests but I would really like to do it through bro...
Is the solution to specify all internal reserved ranges in networks.cfg?<><>
Is this good practice? And is there a better approach to achieve what I need?

Thank you,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150128/9e25b8ba/attachment.html 

More information about the Bro mailing list