[Bro] Fwd: Other log files besides conn.log

Wayland Morgan dotwayland at gmail.com
Tue Oct 17 16:10:00 PDT 2017

I’m not the authority on Bro’s capabilities but http.log, ssl.log, ssh.log
are all protocol specific and none have any notion of hardware addresses.
If you’re looking to perform user attribution then I recommend pairing
these logs with DHCP data to obtain a hardware address which you can in
turn correlate with your lower layer information sources not processed by
Bro such as ARP and switch port data. You may also get some mileage out of
querying any domain specific authentication data where an explicit set of
user credentials was used to authenticate from a device.

If you’re doing any kind of centralized logging with something like ELK or
Splunk you might be able to create a custom search that pulls hardware
addresses into the logs you named, but as far as I know Bro won’t do this
natively (nor should it).

Hope this helps.


On Tue, Oct 17, 2017 at 9:44 AM Therenca Mureithi <
therencamureithi at gmail.com> wrote:

> ---------- Forwarded message ----------
> From: Therenca Mureithi <therencamureithi at gmail.com>
> Date: Tue, Oct 17, 2017 at 5:30 PM
> Subject: Other log files besides conn.log
> To: bro at bro.org
> Is there a way to add mac address to log files like http.log, ssl.log,
> ssh.log, especially when the ip addresses are dynamic. I have been able to
> add mac address to the conn.log file following bro related threads. I am
> not skilled at bro scripting but i would very much like to have this
> functionality. Why? Due to the fact that i want to track down users of the
> network and at one point their ip addresses do change, however rarely do
> mac address change unless ofcourse you have spoofed it. Kindly reply.
> Anyone.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171017/b3b0866d/attachment-0001.html 

More information about the Bro mailing list