[Bro] BRO IDS

Miller, Brad L BLMILLER at comerica.com
Mon May 15 08:09:37 PDT 2017


It may be possible to sniff a wireless interface, but that depends on quite a few variables like the hardware being used.  You also must associate with an access point to sniff the data effectively (I’ve personally done it on many occasions).

It is possible to sniff wireless effectively using Kismet, or airodump-ng.  In both cases you can create logs or packet captures from the tool and those may be read into Bro directly.

Keep in mind that any sniffing of wireless traffic on a wireless network where you are the client will yield interesting data but not all the packets you may be concerned about.  It may be more effective to mirror the ethernet interfaces on access points and send that traffic to your Bro NSM.  You can do that with taps/spans/or more fancy tools.



From: Raj Kumar [mailto:rak at capmon.dk]
Sent: Monday, May 15, 2017 10:24 AM
To: Miller, Brad L
Cc: bro at bro.org
Subject: Re: [Bro] BRO IDS

Thank you very much  for valuable suggestion ,I will remove  broargs settings,if we want to sniff both the interfaces like wlan0 and eth0 is it possible ?


On 15 May 2017 at 15:58, Miller, Brad L <BLMILLER at comerica.com<mailto:BLMILLER at comerica.com>> wrote:
I’m a bit confused about the broargs setting.  Are you intending to sniff traffic on wlan0 or eth0?  Depending upon your need and specific hardware, your wlan interface may or may not be able to be put into promiscuous mode, and if not associated with an access point it will probably receive no meaningful traffic except what the host system is generating itself.

I would suggest removing the broargs setting and sniff on eth0 as a test.  You could then send your NSM some meaningful traffic (SMB, ssh, ping) and see if your configuration will logs this traffic as it should be seen.  Given that, you can expand into placing that interface on a span of more interesting traffic (like egress point, inside interface of a proxy, or inside interface of a DNS server).



From: Raj Kumar [mailto:rak at capmon.dk<mailto:rak at capmon.dk>]
Sent: Monday, May 15, 2017 9:47 AM
To: Miller, Brad L
Cc: bro at bro.org<mailto:bro at bro.org>
Subject: Re: [Bro] BRO IDS

Thank you very much  for the reply.
I just installed the bro in my linux machine and i edited node.cfg
[bro]
type=standalone
host=localhost
interface=eth0
broargs= -i wlan0

thats it :)

Please do let me know ,what has to be done.

On 15 May 2017 at 15:21, Miller, Brad L <BLMILLER at comerica.com<mailto:BLMILLER at comerica.com>> wrote:
I think that entirely depends upon the placement of the sniffing points.  If you sniff on a network without placing at an egress or ingress point, you will see multicast/broadcast traffic that you happen to see, but not much more of interest.

Is your sniffing interface placed well to monitor traffic of interest to you?  What spanning/mirroring technology are you using?

From: bro-bounces at bro.org<mailto:bro-bounces at bro.org> [mailto:bro-bounces at bro.org<mailto:bro-bounces at bro.org>] On Behalf Of Raj Kumar
Sent: Monday, May 15, 2017 5:28 AM
To: bro at bro.org<mailto:bro at bro.org>
Subject: [Bro] BRO IDS

Hi All,

I have installed bro ids for network security monitoring ,am trying to  match the ip address of  threats feeds with ip address in  bro logs.But am getting only multicast  224.0.0.251 239.255.255.250 and not the actual destination ip .How to get the exact ip address in BRO logs.

Any help would be really helpful

Thanks,
Raj



Please be aware that if you reply directly to this particular message, your reply may not be secure. Do not use email to send us communications that contain unencrypted confidential information such as passwords, account numbers or Social Security numbers. If you must provide this type of information, please visit comerica.com<http://comerica.com> to submit a secure form using any of the ”Contact Us” forms. In addition, you should not send via email any inquiry or request that may be time sensitive. The information in this e-mail is confidential. It is intended for the individual or entity to whom it is addressed. If you have received this email in error, please destroy or delete the message and advise the sender of the error by return email.



--
Raj
IT Consultant
Mobile:  +45 81923531

Lyskær 9 [Inline images 1]

2730 Herlev, Denmark

Web:   http://www.capmon.dk<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.capmon.dk_&d=DwMFaQ&c=dpqHD2syzBCa0pPNCKl-DvX7tsADTsJ29aUMnGj5D6k&r=olt67fAGRuomcrLCANlICG1I04nCMkydvJYMmKU2Apo&m=JaxG9rCJ9aMdp6tiYoW-MGKmBkLgIiQ3nsjdGRsT4ns&s=PHuCltQlPfrWfetKtLnX3TFuQRDVSUE2nrpGChep2pU&e=>


Please be aware that if you reply directly to this particular message, your reply may not be secure. Do not use email to send us communications that contain unencrypted confidential information such as passwords, account numbers or Social Security numbers. If you must provide this type of information, please visit comerica.com<http://comerica.com> to submit a secure form using any of the ”Contact Us” forms. In addition, you should not send via email any inquiry or request that may be time sensitive. The information in this e-mail is confidential. It is intended for the individual or entity to whom it is addressed. If you have received this email in error, please destroy or delete the message and advise the sender of the error by return email.



--
Raj
IT Consultant
Mobile:  +45 81923531

Lyskær 9 [Inline images 1]

2730 Herlev, Denmark

Web:   http://www.capmon.dk<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.capmon.dk_&d=DwMFaQ&c=dpqHD2syzBCa0pPNCKl-DvX7tsADTsJ29aUMnGj5D6k&r=olt67fAGRuomcrLCANlICG1I04nCMkydvJYMmKU2Apo&m=Kgb7ui84m0JREwsobqXmaE1MeUb5RtL8satxR1B5XeU&s=VdYeFnPsEaZYFyQDuCJ64Tw8g6drzeLkUbMzklqZIKM&e=>


Please be aware that if you reply directly to this particular message, your reply may not be secure. Do not use email to send us communications that contain unencrypted confidential information such as passwords, account numbers or Social Security numbers. If you must provide this type of information, please visit comerica.com to submit a secure form using any of the ”Contact Us” forms. In addition, you should not send via email any inquiry or request that may be time sensitive. The information in this e-mail is confidential. It is intended for the individual or entity to whom it is addressed. If you have received this email in error, please destroy or delete the message and advise the sender of the error by return email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170515/6afef673/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 18048 bytes
Desc: image001.png
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170515/6afef673/attachment-0001.bin 


More information about the Bro mailing list