[Bro] Discovering known_hosts outside the network segment we are analyzing
donaldson8 at llnl.gov
Wed Jan 28 15:26:38 PST 2015
Just add the redef line to somewhere in your local site config. No need to change things anywhere else.
From: Luis Miguel Silva [mailto:luismiguelferreirasilva at gmail.com]
Sent: Wednesday, January 28, 2015 2:56 PM
To: Donaldson, John
Subject: Re: [Bro] Discovering known_hosts outside the network segment we are analyzing
Ah, yes! This seems to be exactly what I was looking for!
Let me ask you something else though, what is the best practice to set that variable without changing the base known-hosts.bro script? (as I was reading the documentation yesterday, it said we should avoid making changes to the base scripts).
Do I set that global parameter somewhere in a config file OR should I copy the known-hosts.bro script to my site/ directory and change it there?
p.s. this is probably a VERY stupid question but I'm brand new to bro (less then 24h), so I'm still trying to figure out how to properly use it :o)
On Wed, Jan 28, 2015 at 3:07 PM, Donaldson, John <donaldson8 at llnl.gov<mailto:donaldson8 at llnl.gov>> wrote:
Are you thinking of something along the lines of:
redef Known::host_tracking = ALL_HOSTS;
This should record ALL observed hosts in the known_hosts file.
From: bro-bounces at bro.org<mailto:bro-bounces at bro.org> [mailto:bro-bounces at bro.org<mailto:bro-bounces at bro.org>] On Behalf Of Luis Miguel Silva
Sent: Wednesday, January 28, 2015 12:58 PM
Subject: [Bro] Discovering known_hosts outside the network segment we are analyzing
As I started playing around with bro, I noticed the ability to identify known_hosts in the network.
My problem is that I need to identify hosts that are NOT part of my networks.cfg:
root at local-bro:~# cat /usr/local/bro/etc/networks.cfg
# List of local networks in CIDR notation, optionally followed by a
# descriptive tag.
# For example, "10.0.0.0/8<http://10.0.0.0/8>" or "fe80::/64" are valid prefixes.
192.168.1.0/24<http://192.168.1.0/24> Private IP space
root at local-bro:~#
The default networks.cfg had multiple networks but, what I want to do is detect what "invalid" traffic is flowing in the network (e.g. machines in a 192.168.0.0/24<http://192.168.0.0/24> segment, sending out packets in my 192.168.1.0/24<http://192.168.1.0/24> network).
Here's my use case:
- I install a routing / sniffing appliance between the router and the existing local network (192.168.0.0/24<http://192.168.0.0/24>) so I can sniff the traffic with bro
- My appliance changes the network segment for the internal network to something else (e.g. 192.168.1.0/24<http://192.168.1.0/24>) and starts serving addresses in that range using dhcp
-- all dynamically configured devices setup with the new address
-- but then I discover that there were some devices in the previous network that had static ip addresses in the 192.168.0.0/24<http://192.168.0.0/24> range, so they stop working
What I would LIKE to do is have bro detect the "orphaned" 192.168.0.0/24<http://192.168.0.0/24> nodes in the known_hosts, even though my network is now 192.168.1.0/24<http://192.168.1.0/24>.
I could do this by externally sniffing for arp requests but I would really like to do it through bro...
Is the solution to specify all internal reserved ranges in networks.cfg?
Is this good practice? And is there a better approach to achieve what I need?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro