[Bro] Quick af_packet question
Jan Grashöfer
jan.grashoefer at gmail.com
Sat Dec 17 14:08:26 PST 2016
Hi James,
to be honest, I don't know that interfaceA:interfaceB notation at all.
Doing a quick search it seems related to running snort inline. Actually,
I don't think AF_Packet can be used to capture from two different
interfaces using a single instance of Bro. But, running a cluster one
could setup a worker per interface using AF_Packet. The latest version
of the plugin contains an additional broctl-plugin to allow specifying
the necessary parameters (workers will need different fanout_ids, see
https://bro-tracker.atlassian.net/browse/BIT-1747). The README was
extended as well to provide some information on how to setup Bro and
AF_Packet using broctl.
Hope that helps,
Jan
> Does not appear to decode pppoe however :(
>
> On 2016-12-16 09:51, James Lay wrote:
>> So far my testing says yes:
>>
>> 09:30:56 @tester:/opt/bro/spool$] sudo bro -C -i af_packet::eth0:wlan0
>> listening on eth0:wlan0
>>
>> eth0 Link encap:Ethernet HWaddr 00:1f:f3:46:62:ca
>> inet addr:192.168.1.7 Bcast:192.168.1.255
>> Mask:255.255.255.0
>> inet6 addr: fe80::21f:f3ff:fe46:62ca/64 Scope:Link
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:434251 errors:0 dropped:59 overruns:0 frame:0
>> TX packets:261164 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:1000
>> RX bytes:600874115 (600.8 MB) TX bytes:70240696 (70.2 MB)
>> Interrupt:16
>>
>> wlan0 Link encap:Ethernet HWaddr 00:23:6c:7b:29:1d
>> inet addr:192.168.1.60 Bcast:192.168.1.255
>> Mask:255.255.255.0
>> inet6 addr: fe80::223:6cff:fe7b:291d/64 Scope:Link
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:74 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:1000
>> RX bytes:10726 (10.7 KB) TX bytes:1820 (1.8 KB)
>>
>> ssh.log:
>> 1481906017.175240 CWWs1B3RQhgUy1QqT2 192.168.1.2 45480
>> 192.168.1.7 22 2 T 1 -
>> SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 SSH-2.0-OpenSSH_7.2p2
>> Ubuntu-4ubuntu2.1 chacha20-poly1305 at openssh.com
>> umac-64-etm at openssh.com none curve25519-sha256 at libssh.org ssh-rsa
>>
>> 1481906687.051242 CfvBJT3Gs2r7YAX2n1 192.168.1.2 34956
>> 192.168.1.60 22 2 T 1 -
>> SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 SSH-2.0-OpenSSH_7.2p2
>> Ubuntu-4ubuntu2.1 chacha20-poly1305 at openssh.com
>> umac-64-etm at openssh.com none curve25519-sha256 at libssh.org ssh-rsa
>>
>> but wanting to verify. Thank you.
>>
>> James
>>
>> On 2016-12-16 09:35, James Lay wrote:
>>> Love the plugin thanks...quick question for cli...does af_packet need
>>> -i
>>> for multiple interfaces, or can it be used like snort with
>>> af_packet::eth0:eth1? Thank you.
>>>
>>> James
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
More information about the Bro
mailing list