[Bro] Adding dns entry to bro logs

Brian Wylie briford.wylie at gmail.com
Wed Jul 26 10:37:04 PDT 2017 

Just FWIW, if you like/use Python. The BroThon package will automatically
tail any Bro IDS log and then you can use the nice set of python modules to
do nslookup and whatever else (dump file, etc).
https://github.com/Kitware/BroThon

This approach 'offloads' work from Bro IDS (which should stay focused on
high performance network packet processing).


Code Example:

In [1]: from brothon import bro_log_reader

In [2]: bro_log = bro_log_reader.BroLogReader('/path/to/bro/dhcp.log', tail=
True)

In [3]: for row in bro_log.readrows():

    ...:     # Do whatever you want with dhcp fields here (socket
module/nslookup module/etc)

    ...:     print(row['assigned_ip'], row['mac'])


Output:

Successfully monitoring /Users/briford/work/BroThon/data/dhcp.log...

192.168.33.10 00:20:18:eb:ca:21

192.168.33.11 46:22:28:b6:a3:24



On Wed, Jul 26, 2017 at 9:48 AM, Azoff, Justin S <jazoff at illinois.edu>
wrote:

>
> > On Jul 26, 2017, at 12:37 PM, Mike Dopheide <dopheide at gmail.com> wrote:
> >
> > However, I'd heavily caution you against doing that every time a log
> writes.  For one, it's extremely expensive.  Second, the when() call spawns
> a separate process, so if it works at all, you'd need to somehow delay your
> log writes while that field populates.
>
> Yeah this would not work that well in practice.
>
> > Just thinking out loud, if your DHCP pool isn't too huge, you could do
> the lookups on some interval and just populate a table that you reference
> later.  Not perfect, but close.
>
> I was thinking exactly this.  You just need some tool written in any
> language to output a file like
>
> #fields ip name
> 10.0.0.1 boxone
> 10.0.0.2 otherbox
> 10.0.0.3 thirdbox
>
> (with tabs and not spaces)  and then bro can load that into a table[addr]
> of string; and you can reference it as often as you need.
>
>
> --
> - Justin Azoff
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170726/8e94350c/attachment.html

More information about the Bro mailing list