[Bro] BRO IDS

Raj Kumar rak at capmon.dk
Mon May 15 07:23:42 PDT 2017


Thank you very much  for valuable suggestion ,I will remove  broargs
settings,if we want to sniff both the interfaces like wlan0 and eth0 is it
possible ?


On 15 May 2017 at 15:58, Miller, Brad L <BLMILLER at comerica.com> wrote:

> I’m a bit confused about the broargs setting.  Are you intending to sniff
> traffic on wlan0 or eth0?  Depending upon your need and specific hardware,
> your wlan interface may or may not be able to be put into promiscuous mode,
> and if not associated with an access point it will probably receive no
> meaningful traffic except what the host system is generating itself.
>
>
>
> I would suggest removing the broargs setting and sniff on eth0 as a test.
> You could then send your NSM some meaningful traffic (SMB, ssh, ping) and
> see if your configuration will logs this traffic as it should be seen.
> Given that, you can expand into placing that interface on a span of more
> interesting traffic (like egress point, inside interface of a proxy, or
> inside interface of a DNS server).
>
>
>
>
>
>
>
> *From:* Raj Kumar [mailto:rak at capmon.dk]
> *Sent:* Monday, May 15, 2017 9:47 AM
> *To:* Miller, Brad L
> *Cc:* bro at bro.org
> *Subject:* Re: [Bro] BRO IDS
>
>
>
> Thank you very much  for the reply.
>
> I just installed the bro in my linux machine and i edited node.cfg
>
> [bro]
>
> type=standalone
>
> host=localhost
>
> interface=eth0
>
> broargs= -i wlan0
>
>
>
> thats it :)
>
>
>
> Please do let me know ,what has to be done.
>
>
>
> On 15 May 2017 at 15:21, Miller, Brad L <BLMILLER at comerica.com> wrote:
>
> I think that entirely depends upon the placement of the sniffing points.
> If you sniff on a network without placing at an egress or ingress point,
> you will see multicast/broadcast traffic that you happen to see, but not
> much more of interest.
>
>
>
> Is your sniffing interface placed well to monitor traffic of interest to
> you?  What spanning/mirroring technology are you using?
>
>
>
> *From:* bro-bounces at bro.org [mailto:bro-bounces at bro.org] *On Behalf Of *Raj
> Kumar
> *Sent:* Monday, May 15, 2017 5:28 AM
> *To:* bro at bro.org
> *Subject:* [Bro] BRO IDS
>
>
>
> Hi All,
>
>
>
> I have installed bro ids for network security monitoring ,am trying to
>  match the ip address of  threats feeds with ip address in  bro logs.But am
> getting only multicast  224.0.0.251 239.255.255.250 and not the actual
> destination ip .How to get the exact ip address in BRO logs.
>
>
>
> Any help would be really helpful
>
>
>
> Thanks,
>
> *Raj*
>
>
>
>
>
> Please be aware that if you reply directly to this particular message,
> your reply may not be secure. Do not use email to send us communications
> that contain unencrypted confidential information such as passwords,
> account numbers or Social Security numbers. If you must provide this type
> of information, please visit comerica.com to submit a secure form using
> any of the ”Contact Us” forms. In addition, you should not send via email
> any inquiry or request that may be time sensitive. The information in this
> e-mail is confidential. It is intended for the individual or entity to whom
> it is addressed. If you have received this email in error, please destroy
> or delete the message and advise the sender of the error by return email.
>
>
>
>
>
> --
>
> *Raj*
>
> *IT Consultant*
>
> *Mobile:  **+45 **81923531*
>
> *Lyskær 9 [image: Inline images 1]*
>
> *2730 Herlev, Denmark  *
>
> *Web:   **http://www.capmon.dk
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.capmon.dk_&d=DwMFaQ&c=dpqHD2syzBCa0pPNCKl-DvX7tsADTsJ29aUMnGj5D6k&r=olt67fAGRuomcrLCANlICG1I04nCMkydvJYMmKU2Apo&m=JaxG9rCJ9aMdp6tiYoW-MGKmBkLgIiQ3nsjdGRsT4ns&s=PHuCltQlPfrWfetKtLnX3TFuQRDVSUE2nrpGChep2pU&e=>*
>
>
> Please be aware that if you reply directly to this particular message,
> your reply may not be secure. Do not use email to send us communications
> that contain unencrypted confidential information such as passwords,
> account numbers or Social Security numbers. If you must provide this type
> of information, please visit comerica.com to submit a secure form using
> any of the ”Contact Us” forms. In addition, you should not send via email
> any inquiry or request that may be time sensitive. The information in this
> e-mail is confidential. It is intended for the individual or entity to whom
> it is addressed. If you have received this email in error, please destroy
> or delete the message and advise the sender of the error by return email.
>



-- 
*Raj*
*IT Consultant*
*Mobile:  ** +45 **81923531*

*Lyskær 9** [image: Inline images 1]*

*2730 Herlev, Denmark  *

*Web:   **http://www.capmon.dk <http://www.capmon.dk/>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170515/3337d3e4/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 18048 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170515/3337d3e4/attachment-0002.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 18048 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170515/3337d3e4/attachment-0003.bin 


More information about the Bro mailing list