[Bro] Client identification from bro logs

Po-Ching Lin pachinko.tw at gmail.com
Fri Sep 4 22:50:08 PDT 2015

Hi all,

         It is well known that a client may be behind NAT or using DHCP, so identifying
an individual client solely from the IP address is unreliable. To track a client's behavior
from Bro logs, it is therefore important to separate the clients behind NAT or using DHCP.
Some passive methods for client identification were presented long ago, such as

https://www.cs.columbia.edu/~smb/papers/fnat.pdf, or

         The features leveraged by the above two papers, IP identifier and TCP timestamp
option, are unavailable from default Bro logs. I would like to know whether the existing
Bro design has a solution to this issue. Many thanks.


More information about the Bro mailing list