[Bro] Bro not producing a notice.log
Jeff Geiger
jeff.geiger at gmail.com
Thu Apr 7 19:04:04 PDT 2016
I don't know if anything has changed in the last few years, but I know it
used to be the case that you could not put an AWS interface into
promiscuous mode. To get around this, you had to use a tool like
daemonlogger to dump packets from the external interface to a tap, tun, or
bridge interface and monitor that. For larger scale implementations, you
can use openvpn internally to route all the traffic back to your sensor. I
set up a PoC doing similar with Snort a few years back. (
https://github.com/jeffgeiger/CloudSnort) Hopefully that helps, if this is
still the case.
Best,
Jeff Geiger
On Thu, Apr 7, 2016 at 6:04 PM, Mike Dopheide <dopheide at gmail.com> wrote:
> I want to say that's likely because AWS disables promiscuous mode so
> getting Bro to work requires some additional tricks. Can anyone verify?
>
>
> On Thursday, April 7, 2016, Paweł Piszczatowski <pawelec93 at googlemail.com>
> wrote:
>
>> I have a Bro cluster setup in the AWS cloud, currently just with one
>> node. My problem is that Bro is not producing the notice.log, it should
>> just log successful SSH logins but it doesn't. I have tried SSH and FTP
>> bruteforcing the worker node and exceeding the limit of failed connections,
>> again no notice.log. I can see the detect-bruteforcing.bro scripts loaded
>> in the loaded_scripts.log. I am pretty new to Bro, so I am not sure what I
>> am doing wrong.
>>
>> Regards,
>>
>>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160407/817f4f15/attachment.html
More information about the Bro
mailing list