[Bro] Fwd: Other log files besides conn.log
dotwayland at gmail.com
Tue Oct 17 16:13:41 PDT 2017
I was unaware of the mac-logging option. Thanks for sharing.
On Tue, Oct 17, 2017 at 6:04 PM Jim Mellander <jmellander at lbl.gov> wrote:
> Hi Therenca:
> You could add this to local.bro:
> @load policy/protocols/conn/mac-logging
> However, unless you're actually directly monitoring inside the border of a
> subnet, the host MAC address will not be seen, but the MAC addresses of the
> routers, so this may not be too useful.
> Depending on your network topology, dhcp.log might have some information
> on the mapping. You could also check your DHCP server's logs, which should
> have the information you need.
> Hope this helps,
> On Tue, Oct 17, 2017 at 7:34 AM, Therenca Mureithi <
> therencamureithi at gmail.com> wrote:
>> ---------- Forwarded message ----------
>> From: Therenca Mureithi <therencamureithi at gmail.com>
>> Date: Tue, Oct 17, 2017 at 5:30 PM
>> Subject: Other log files besides conn.log
>> To: bro at bro.org
>> Is there a way to add mac address to log files like http.log, ssl.log,
>> ssh.log, especially when the ip addresses are dynamic. I have been able to
>> add mac address to the conn.log file following bro related threads. I am
>> not skilled at bro scripting but i would very much like to have this
>> functionality. Why? Due to the fact that i want to track down users of the
>> network and at one point their ip addresses do change, however rarely do
>> mac address change unless ofcourse you have spoofed it. Kindly reply.
>> Bro mailing list
>> bro at bro-ids.org
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro