[Bro] Other log files besides conn.log

Charles A. Fair charles.fair at mac.com
Sat Oct 21 22:50:47 PDT 2017

---------- Forwarded message ----------
> From: Therenca Mureithi <therencamureithi at gmail.com>
> Date: Tue, Oct 17, 2017 at 5:30 PM
> Subject: Other log files besides conn.log
> To: bro at bro.org
> Is there a way to add mac address to log files like http.log, ssl.log, ssh.log, especially when the ip addresses are dynamic. I have been able to add mac address to the conn.log file following bro related threads. I am not skilled at bro scripting but i would very much like to have this functionality. Why? Due to the fact that i want to track down users of the network and at one point their ip addresses do change, however rarely do mac address change unless ofcourse you have spoofed it. Kindly reply. Anyone.

Check out how the Bro logs are modified in ROCK:  http://rocknsm.io 

We Have added in ASN's in each log along with the IP addresses.  You could replicate, so the fields would be directly in the Bro logs of choice, but with the MAC addresses logged in the conn.log after enabling that policy script.  

Charles "Chuck" A. Fair 

More information about the Bro mailing list