[Bro] Discovering known_hosts outside the network segment we are analyzing
donaldson8 at llnl.gov
Wed Jan 28 14:07:10 PST 2015
Are you thinking of something along the lines of:
redef Known::host_tracking = ALL_HOSTS;
This should record ALL observed hosts in the known_hosts file.
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Luis Miguel Silva
Sent: Wednesday, January 28, 2015 12:58 PM
Subject: [Bro] Discovering known_hosts outside the network segment we are analyzing
As I started playing around with bro, I noticed the ability to identify known_hosts in the network.
My problem is that I need to identify hosts that are NOT part of my networks.cfg:
root at local-bro:~# cat /usr/local/bro/etc/networks.cfg
# List of local networks in CIDR notation, optionally followed by a
# descriptive tag.
# For example, "10.0.0.0/8<http://10.0.0.0/8>" or "fe80::/64" are valid prefixes.
192.168.1.0/24<http://192.168.1.0/24> Private IP space
root at local-bro:~#
The default networks.cfg had multiple networks but, what I want to do is detect what "invalid" traffic is flowing in the network (e.g. machines in a 192.168.0.0/24<http://192.168.0.0/24> segment, sending out packets in my 192.168.1.0/24<http://192.168.1.0/24> network).
Here's my use case:
- I install a routing / sniffing appliance between the router and the existing local network (192.168.0.0/24<http://192.168.0.0/24>) so I can sniff the traffic with bro
- My appliance changes the network segment for the internal network to something else (e.g. 192.168.1.0/24<http://192.168.1.0/24>) and starts serving addresses in that range using dhcp
-- all dynamically configured devices setup with the new address
-- but then I discover that there were some devices in the previous network that had static ip addresses in the 192.168.0.0/24<http://192.168.0.0/24> range, so they stop working
What I would LIKE to do is have bro detect the "orphaned" 192.168.0.0/24<http://192.168.0.0/24> nodes in the known_hosts, even though my network is now 192.168.1.0/24<http://192.168.1.0/24>.
I could do this by externally sniffing for arp requests but I would really like to do it through bro...
Is the solution to specify all internal reserved ranges in networks.cfg?
Is this good practice? And is there a better approach to achieve what I need?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro