[Bro] Monitoring for MAC address

Patrick Kelley pkelley at hyperionavenue.com
Thu Oct 6 12:05:54 PDT 2016

Maybe using this?  Might work better than using Intel feeds.


Patrick Kelley, CISSP

The limit to which you have accepted being comfortable is the limit to which
you have grown. Accept new challenges as an opportunity to enrich yourself
and not as a point of potential failure.

From:  <bro-bounces at bro.org> on behalf of "Zeolla at GMail.com"
<zeolla at gmail.com>
Date:  Thursday, October 6, 2016 at 11:55 AM
To:  "bro at bro.org" <bro at bro.org>
Subject:  [Bro] Monitoring for MAC address

I have a use case where I would like to monitor for certain MAC addresses in
use.  I took a look at the Intel framework
type-Intel::Type>  and it doesn't seem to have a type that can handle this.
Has anybody else encountered a similar scenario in the past?

The list will be ever-evolving and so I would like to be able to modify it
without having to restart my cluster (hence considering the Intel
framework).  I did find this thread
<http://mailman.icsi.berkeley.edu/pipermail/bro/2015-July/008819.html> , and
if I have to, I will just write a script that uses known_devices.  Thanks,

_______________________________________________ Bro mailing list
bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161006/39822891/attachment.html 

More information about the Bro mailing list