[Bro] Capturing DHCP events

lyeph . lyeph at outlook.com
Thu Mar 21 05:13:41 PDT 2013 

Vlad,
Thanks! This is very close to what I was looking for. Any plans to include the DHCP Options Host Name in the logs?

> From: vladg at cmu.edu
> To: lyeph at outlook.com
> CC: bro at bro.org
> Subject: Re: [Bro] Capturing DHCP events
> Date: Wed, 20 Mar 2013 21:14:48 +0000
> 
> I have an experimental git branch with DHCP support here: <https://github.com/grigorescu/bro/tree/remotes/origin/topic/vladg/dhcp>.
> 
> In order to use it, you'll need to do the following:
> 
> > git clone --recursive git://git.bro.org/bro
> > cd bro
> > git remote add dhcp_github https://github.com/grigorescu/bro.git
> > git pull -s recursive -X theirs dhcp_github remotes/origin/topic/vladg/dhcp
> 
> Build Bro with the usual ./configure, make, make install
> 
> To enable the DHCP script, add this to local.bro:
> 
> > @load base/protocols/dhcp
> 
> You should then see a dhcp.log. Here's an example from mine:
> 
> > #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	mac	assigned_ip	lease_time	trans_id
> > #types	time	string	addr	port	addr	port	string	addr	interval	count
> > 1363813938.019865	4qCaj285Yr1	128.237.242.XX	68	128.237.224.X	67	58:bd:a3:ff:ee:dd	128.237.242.WWW	240.000000	3420159137
> > 1363813938.020145	XLPtua3OiKg	128.237.237.YY	68	128.237.224.Y	67	90:27:e4:99:aa:cc	128.237.237.ZZ	240.000000	3009200041
> 
> Please let me know if you run into any problems with the script. I've been running it in production for about a month, and it works well for me.
> 
>   --Vlad
> 
> 
> On Mar 20, 2013, at 3:55 PM, lyeph lyeph <lyeph at outlook.com>
>  wrote:
> 
> > Hello,
> > 
> > I'm looking into capturing DHCP events with Bro. I am hoping I am just overlooking a bro script that already handles the collection of DHCP events. The only one I have been able to find so far is at http://svn.icir.org/bro/trunk/bro/policy/dhcp.bro, but it does not appear to work with Bro 2.1. Can anyone point me in a better direction? 
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130321/32343616/attachment.html

More information about the Bro mailing list