[Bro] [EXTERNAL] Re: Logging VLAN IDs

Thomas, Eric D edthoma at sandia.gov
Fri Apr 17 12:00:04 PDT 2015


Hi Robin, thanks for the reply. You can remove bro at bro.org if you want,
and I will follow your lead.

I was working from 2.3.2. I¹ll take a look at git master next.

In my specific case, I¹m just interested in logging VLAN IDs. For each
connection it could be a set of VLAN IDs, perhaps multiple IDs tracked in
each direction. I¹m dealing with a scenario where multiple streams of
traffic are coming into my Bro sensor¹s interface. I want a way to
demultiplex them, without relying upon IP address blocks. My ultimate goal
is to be able to identify which networks a connection is associated with.
If the VLAN IDs are just encapsulated in the connection ID, that would not
gain me anything.


Also, having link-level features be part of the connection index may be
dubious, but I¹ll let the experts decide. With MAC addresses, for example,
a packet might take a different route than other packets in the
connection, but I wouldn¹t want Bro to treat it as a different connection.
Perhaps the same thought applies to VLANs, I don¹t know. I¹m also having
difficulty coming up with a security scenario where it provides additional
benefit to have link-level features in the connection index, except
perhaps detecting packet spoofing.


Looking forward to your thoughts on this,
-- 
Eric Thomas
edthoma at sandia.gov




On 4/17/15, 8:55 AM, "Robin Sommer" <robin at icir.org> wrote:

>(Cc'ing bro-dev, I suggest we continue the thread there).
>
>This sounds generally reasonable, however I think we could take the
>opportunity here to generalize this a bit more for generally including
>link-layer information into connection handling.




More information about the Bro mailing list