[Bro] Discovering known_hosts outside the network segment we are analyzing

Donaldson, John donaldson8 at llnl.gov
Wed Jan 28 15:26:38 PST 2015

Just add the redef line to somewhere in your local site config. No need to change things anywhere else.

From: Luis Miguel Silva [mailto:luismiguelferreirasilva at gmail.com]
Sent: Wednesday, January 28, 2015 2:56 PM
To: Donaldson, John
Cc: bro
Subject: Re: [Bro] Discovering known_hosts outside the network segment we are analyzing

Ah, yes! This seems to be exactly what I was looking for!

Let me ask you something else though, what is the best practice to set that variable without changing the base known-hosts.bro script? (as I was reading the documentation yesterday, it said we should avoid making changes to the base scripts).

Do I set that global parameter somewhere in a config file OR should I copy the known-hosts.bro script to my site/ directory and change it there?

p.s. this is probably a VERY stupid question but I'm brand new to bro (less then 24h), so I'm still trying to figure out how to properly use it :o)

Thank you,

On Wed, Jan 28, 2015 at 3:07 PM, Donaldson, John <donaldson8 at llnl.gov<mailto:donaldson8 at llnl.gov>> wrote:
Are you thinking of something along the lines of:

redef Known::host_tracking = ALL_HOSTS;

(see https://www.bro.org/sphinx/scripts/policy/protocols/conn/known-hosts.bro.html)

This should record ALL observed hosts in the known_hosts file.

v/r John

From: bro-bounces at bro.org<mailto:bro-bounces at bro.org> [mailto:bro-bounces at bro.org<mailto:bro-bounces at bro.org>] On Behalf Of Luis Miguel Silva
Sent: Wednesday, January 28, 2015 12:58 PM
To: bro
Subject: [Bro] Discovering known_hosts outside the network segment we are analyzing

Dear all,
As I started playing around with bro, I noticed the ability to identify known_hosts in the network.
My problem is that I need to identify hosts that are NOT part of my networks.cfg:
root at local-bro:~# cat /usr/local/bro/etc/networks.cfg
# List of local networks in CIDR notation, optionally followed by a
# descriptive tag.
# For example, "<>" or "fe80::/64" are valid prefixes.<>          Private IP space
root at local-bro:~#
The default networks.cfg had multiple networks but, what I want to do is detect what "invalid" traffic is flowing in the network (e.g. machines in a<> segment, sending out packets in my<> network).
Here's my use case:
- I install a routing / sniffing appliance between the router and the existing local network (<>) so I can sniff the traffic with bro
- My appliance changes the network segment for the internal network to something else (e.g.<>) and starts serving addresses in that range using dhcp
-- all dynamically configured devices setup with the new address
-- but then I discover that there were some devices in the previous network that had static ip addresses in the<> range, so they stop working
What I would LIKE to do is have bro detect the "orphaned"<> nodes in the known_hosts, even though my network is now<>.
I could do this by externally sniffing for arp requests but I would really like to do it through bro...
Is the solution to specify all internal reserved ranges in networks.cfg?<><>
Is this good practice? And is there a better approach to achieve what I need?

Thank you,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150128/08a7cf61/attachment.html 

More information about the Bro mailing list