[Bro] Monitoring for MAC address
Jan Grashöfer
jan.grashoefer at gmail.com
Thu Oct 6 12:50:07 PDT 2016
> I have a use case where I would like to monitor for certain MAC addresses
> in use. I took a look at the Intel framework
> <https://www.bro.org/sphinx-git/scripts/base/frameworks/intel/main.bro.html#type-Intel::Type>
> and
> it doesn't seem to have a type that can handle this. Has anybody else
> encountered a similar scenario in the past?
I theory it should be possible to redef Intel::Type and add a type for
MAC addresses as they are treated as strings by Bro anyway.
> I did find this thread
> <http://mailman.icsi.berkeley.edu/pipermail/bro/2015-July/008819.html>, and
> if I have to, I will just write a script that uses known_devices.
Bro 2.5 will support logging of MAC addresses (see
https://github.com/bro/bro/blob/master/scripts/site/local.bro#L98).
Enabling this you would just have to add a seen script like the
conn-established.bro script.
Jan
More information about the Bro
mailing list