[Bro] Monitoring for MAC address
Zeolla@GMail.com
zeolla at gmail.com
Thu Oct 6 14:00:02 PDT 2016
Very helpful, thank you both.
Jon
On Thu, Oct 6, 2016, 16:00 Jan Grashöfer <jan.grashoefer at gmail.com> wrote:
> > I have a use case where I would like to monitor for certain MAC addresses
> > in use. I took a look at the Intel framework
> > <
> https://www.bro.org/sphinx-git/scripts/base/frameworks/intel/main.bro.html#type-Intel::Type
> >
> > and
> > it doesn't seem to have a type that can handle this. Has anybody else
> > encountered a similar scenario in the past?
>
> I theory it should be possible to redef Intel::Type and add a type for
> MAC addresses as they are treated as strings by Bro anyway.
>
> > I did find this thread
> > <http://mailman.icsi.berkeley.edu/pipermail/bro/2015-July/008819.html>,
> and
> > if I have to, I will just write a script that uses known_devices.
>
> Bro 2.5 will support logging of MAC addresses (see
> https://github.com/bro/bro/blob/master/scripts/site/local.bro#L98).
> Enabling this you would just have to add a seen script like the
> conn-established.bro script.
>
> Jan
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
--
Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161006/079e35cd/attachment.html
More information about the Bro
mailing list