[Bro] NAT connection logs

John Edwards jedwards2728 at gmail.com
Tue Oct 4 01:45:52 PDT 2016


Hi all

In my implementation of bro I am observing traffic from two different zones
in the one physical box

I have one physical powerful system that has two optical feeds from a
passive tap that observes traffic from inside a firewall and outside the
firewall. A lot of the connections are NAT leaving our gateway

My question is regarding logging , with a cluster configuration (or any bro
configuration for that matter) if a connection is outbound to an ip of
1.2.3.4  does bro see the connection as two separate streams with two
separate log entries to follow that stream? Or one stream and the NAT
conversion is within the log?  I'm assuming the former and it sees it as
two separate connections

I'm just considering if it's worth having that level of visibility as my
logs folder is a combination of both interfaces obviously and don't want to
be potentially storing duplicate data :) all data is then ingested into a
SIEM so I can search both IP's if I know what they are but if I can reduce
it down to one search query and see the whole connection obviously that's
better :)

Cheers
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161004/cb2a9e6b/attachment.html 


More information about the Bro mailing list