[Bro] Quick af_packet question
James Lay
jlay at slave-tothe-box.net
Sun Dec 18 05:04:40 PST 2016
Thanks Jan....those were my final results as well.
James
On Sat, 2016-12-17 at 23:08 +0100, Jan Grashöfer wrote:
> Hi James,
>
> to be honest, I don't know that interfaceA:interfaceB notation at
> all.
> Doing a quick search it seems related to running snort inline.
> Actually,
> I don't think AF_Packet can be used to capture from two different
> interfaces using a single instance of Bro. But, running a cluster one
> could setup a worker per interface using AF_Packet. The latest
> version
> of the plugin contains an additional broctl-plugin to allow
> specifying
> the necessary parameters (workers will need different fanout_ids, see
> https://bro-tracker.atlassian.net/browse/BIT-1747). The README was
> extended as well to provide some information on how to setup Bro and
> AF_Packet using broctl.
>
> Hope that helps,
> Jan
>
> >
> > Does not appear to decode pppoe however :(
> >
> > On 2016-12-16 09:51, James Lay wrote:
> > >
> > > So far my testing says yes:
> > >
> > > 09:30:56 @tester:/opt/bro/spool$] sudo bro -C -i
> > > af_packet::eth0:wlan0
> > > listening on eth0:wlan0
> > >
> > > eth0 Link encap:Ethernet HWaddr 00:1f:f3:46:62:ca
> > > inet addr:192.168.1.7 Bcast:192.168.1.255
> > > Mask:255.255.255.0
> > > inet6 addr: fe80::21f:f3ff:fe46:62ca/64 Scope:Link
> > > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > > RX packets:434251 errors:0 dropped:59 overruns:0
> > > frame:0
> > > TX packets:261164 errors:0 dropped:0 overruns:0
> > > carrier:0
> > > collisions:0 txqueuelen:1000
> > > RX bytes:600874115 (600.8 MB) TX bytes:70240696 (70.2
> > > MB)
> > > Interrupt:16
> > >
> > > wlan0 Link encap:Ethernet HWaddr 00:23:6c:7b:29:1d
> > > inet addr:192.168.1.60 Bcast:192.168.1.255
> > > Mask:255.255.255.0
> > > inet6 addr: fe80::223:6cff:fe7b:291d/64 Scope:Link
> > > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> > > RX packets:74 errors:0 dropped:0 overruns:0 frame:0
> > > TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
> > > collisions:0 txqueuelen:1000
> > > RX bytes:10726 (10.7 KB) TX bytes:1820 (1.8 KB)
> > >
> > > ssh.log:
> > > 1481906017.175240 CWWs1B3RQhgUy1QqT2 192.168.1.2 454
> > > 80
> > > 192.168.1.7 22 2 T 1 -
> > > SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 SSH-2.0-
> > > OpenSSH_7.2p2
> > > Ubuntu-4ubuntu2.1 chacha20-poly1305 at openssh.com
> > > umac-64-etm at openssh.com none curve25519-sha256 at libssh.org s
> > > sh-rsa
> > >
> > > 1481906687.051242 CfvBJT3Gs2r7YAX2n1 192.168.1.2 349
> > > 56
> > > 192.168.1.60 22 2 T 1 -
> > > SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 SSH-2.0-
> > > OpenSSH_7.2p2
> > > Ubuntu-4ubuntu2.1 chacha20-poly1305 at openssh.com
> > > umac-64-etm at openssh.com none curve25519-sha256 at libssh.org s
> > > sh-rsa
> > >
> > > but wanting to verify. Thank you.
> > >
> > > James
> > >
> > > On 2016-12-16 09:35, James Lay wrote:
> > > >
> > > > Love the plugin thanks...quick question for cli...does
> > > > af_packet need
> > > > -i
> > > > for multiple interfaces, or can it be used like snort with
> > > > af_packet::eth0:eth1? Thank you.
> > > >
> > > > James
> > > > _______________________________________________
> > > > Bro mailing list
> > > > bro at bro-ids.org
> > > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> > > _______________________________________________
> > > Bro mailing list
> > > bro at bro-ids.org
> > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161218/26d40e7f/attachment.html
More information about the Bro
mailing list