[Bro] Discovering known_hosts outside the network segment we are analyzing
Luis Miguel Silva
luismiguelferreirasilva at gmail.com
Wed Jan 28 14:55:48 PST 2015
Ah, yes! This seems to be exactly what I was looking for!
Let me ask you something else though, what is the best practice to set that
variable without changing the base known-hosts.bro script? (as I was
reading the documentation yesterday, it said we should avoid making changes
to the base scripts).
Do I set that global parameter somewhere in a config file OR should I copy
the known-hosts.bro script to my site/ directory and change it there?
p.s. this is probably a VERY stupid question but I'm brand new to bro (less
then 24h), so I'm still trying to figure out how to properly use it :o)
Thank you,
Luis
On Wed, Jan 28, 2015 at 3:07 PM, Donaldson, John <donaldson8 at llnl.gov>
wrote:
> Are you thinking of something along the lines of:
>
>
>
> redef Known::host_tracking = ALL_HOSTS;
>
>
>
> (see
> https://www.bro.org/sphinx/scripts/policy/protocols/conn/known-hosts.bro.html
> )
>
>
>
> This should record ALL observed hosts in the known_hosts file.
>
>
>
> v/r John
>
>
>
> *From:* bro-bounces at bro.org [mailto:bro-bounces at bro.org] *On Behalf Of *Luis
> Miguel Silva
> *Sent:* Wednesday, January 28, 2015 12:58 PM
> *To:* bro
> *Subject:* [Bro] Discovering known_hosts outside the network segment we
> are analyzing
>
>
>
> Dear all,
>
> As I started playing around with bro, I noticed the ability to identify
> known_hosts in the network.
>
> My problem is that I need to identify hosts that are NOT part of my
> networks.cfg:
> root at local-bro:~# cat /usr/local/bro/etc/networks.cfg
> # List of local networks in CIDR notation, optionally followed by a
> # descriptive tag.
> # For example, "10.0.0.0/8" or "fe80::/64" are valid prefixes.
>
> 192.168.1.0/24 Private IP space
> root at local-bro:~#
>
> The default networks.cfg had multiple networks but, what I want to do is
> detect what "invalid" traffic is flowing in the network (e.g. machines in a *192.168.0.0/24
> <http://192.168.0.0/24>* segment, sending out packets in my *192.168.1.0/24
> <http://192.168.1.0/24>* network).
>
> Here's my use case:
>
> - I install a routing / sniffing appliance between the router and the
> existing local network (*192.168.0.0/24 <http://192.168.0.0/24>*) so I
> can sniff the traffic with bro
>
> - My appliance changes the network segment for the internal network to
> something else (e.g. *192.168.1.0/24 <http://192.168.1.0/24>*) and starts
> serving addresses in that range using dhcp
>
> -- all dynamically configured devices setup with the new address
>
> -- but then I discover that there were some devices in the previous
> network that had static ip addresses in the *192.168.0.0/24
> <http://192.168.0.0/24>* range, so they stop working
>
> What I would LIKE to do is have bro detect the "orphaned" *192.168.0.0/24
> <http://192.168.0.0/24>* nodes in the known_hosts, even though my network
> is now *192.168.1.0/24 <http://192.168.1.0/24>*.
>
> I could do this by externally sniffing for arp requests but I would really
> like to do it through bro...
>
> Is the solution to specify all internal reserved ranges in networks.cfg?
>
>
> *192.168.0.0/16 <http://192.168.0.0/16> 10.0.0.0/8 <http://10.0.0.0/8> ...*
>
> Is this good practice? And is there a better approach to achieve what I
> need?
>
>
> Thank you,
> Luis
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150128/6f1f758b/attachment-0001.html
More information about the Bro
mailing list