[Bro] Client identification from bro logs
pachinko.tw at gmail.com
Fri Sep 4 22:50:08 PDT 2015
It is well known that a client may be behind NAT or using DHCP, so identifying
an individual client solely from the IP address is unreliable. To track a client's behavior
from Bro logs, it is therefore important to separate the clients behind NAT or using DHCP.
Some passive methods for client identification were presented long ago, such as
The features leveraged by the above two papers, IP identifier and TCP timestamp
option, are unavailable from default Bro logs. I would like to know whether the existing
Bro design has a solution to this issue. Many thanks.
More information about the Bro