[Bro] Documentation and getting started.

Sniper daniel_aka_sniper_d at hotmail.com
Tue Oct 17 08:25:04 PDT 2017


Ok so I removed eth0/1 from network connections, the ethernet connection so br0 has br0 slave 1 and 2 which has removed the IP addresses and is now using MAC addresses on eth 0/1.

Now when I ping the br0 192.168.10.1 I get activity using tcpdump, however, when I ping hosts Attacker and Victim from eachother there is no activity on br0.

Regards
Daniel


On 17/10/2017 14:38, Daniel wrote:
Hello Jim,

Thanks a lot just what I needed, trying to search for everything just takes up too much time.

Running as root is just sudo -s then broclt right or do I need to change it as stated in that link you sent me?
No tcpdump does not work against br0 but it runs agains eth0 and eth1. I have assigned a IP address to br0, is this even required? I tried to use OpenBSD to accomplish a network tap but brconfig that configures the bridge is not in the operating system for some reason. I gett an error saying its not recognised, after many hours of searching I couldn't find a solution.

Linux is a pain in the backside, it takes up soo much time trying to find solutions to problems.

This is my layout, I have put everything on the same subnet to just to get things started.

VM ethernet adapter(my PC)
192.168.10.5 - no gateway

Ubuntu (Bro/Bridge)
br0 192.168.10.1 - no gateway
eth0 192.168.10.2 - no gateway
eth1 192.168.10.3 - no gateway

Ubuntu Victim
192.168.10.6 - gw 192.168.10.2

Linux Kali Attacker
192.168.10.7 - gw 192.168.10.3

Regards
Daniel

On 16/10/2017 20:20, Jim Mellander wrote:
Hi Daniel:

Check this link for info on
​ ​
the bro directory structure that may help you: https://www.bro.org/sphinx/install/release-notes.html#script-organization

​As far as monitoring a bridged interface, there should be no problem, as long as bro can access the interface.  ​If you're not running as root, see: https://www.bro.org/documentation/faq.html#how-can-i-capture-packets-as-an-unprivileged-user

Does tcpdump provide expected output when run against br0?

Hope this helps,

Jim




On Mon, Oct 16, 2017 at 9:49 AM, Sniper <daniel_aka_sniper_d at hotmail.com<mailto:daniel_aka_sniper_d at hotmail.com>> wrote:
Hello Everyone,

Is there reference page on all the default installation directory
locations are by any chance? $PREFIX just makes it a very long process
establishing where all the files are located. If not, I think this would
be excellent for beginners like me.

Also, I have created a bridge interface that I want to monitor using
ubuntu/bro by connecting two hosts, for some reason I can't seem to
generate any logs in /usr/local/bro/logs/ (no 'current' folder when bro
is started as in the documentation). Is this even possible to monitor a
bridge interface using bro on the same host? I have already changed
node.cfg interface to br0.

There are no tutorials nowhere on how to actually get started, tried to
follow the instructions but still no luck, ive been wasting days on
this. If someone could point me in the right direction i'll greatly
appreciate it.

Kind regards

Daniel



---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus


_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro




[https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif]<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>      Virus-free. www.avast.com<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171017/1a2677c7/attachment.html 


More information about the Bro mailing list