[Bro] Monitoring for MAC address

Patrick Kelley pkelley at hyperionavenue.com
Thu Oct 6 12:05:54 PDT 2016


Maybe using this?  Might work better than using Intel feeds.

https://github.com/evernote/bro-scripts/blob/master/bolo/scripts/main.bro


Patrick Kelley, CISSP

The limit to which you have accepted being comfortable is the limit to which
you have grown. Accept new challenges as an opportunity to enrich yourself
and not as a point of potential failure.


From:  <bro-bounces at bro.org> on behalf of "Zeolla at GMail.com"
<zeolla at gmail.com>
Date:  Thursday, October 6, 2016 at 11:55 AM
To:  "bro at bro.org" <bro at bro.org>
Subject:  [Bro] Monitoring for MAC address

I have a use case where I would like to monitor for certain MAC addresses in
use.  I took a look at the Intel framework
<https://www.bro.org/sphinx-git/scripts/base/frameworks/intel/main.bro.html#
type-Intel::Type>  and it doesn't seem to have a type that can handle this.
Has anybody else encountered a similar scenario in the past?

The list will be ever-evolving and so I would like to be able to modify it
without having to restart my cluster (hence considering the Intel
framework).  I did find this thread
<http://mailman.icsi.berkeley.edu/pipermail/bro/2015-July/008819.html> , and
if I have to, I will just write a script that uses known_devices.  Thanks,

Jon
-- 
Jon
_______________________________________________ Bro mailing list
bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161006/39822891/attachment.html 


More information about the Bro mailing list