[Bro] Documentation and getting started.
Jim Mellander
jmellander at lbl.gov
Tue Oct 17 13:37:55 PDT 2017
Assuming that you're just doing the bonding for monitoring purposes, you
could also have bro monitor multiple interfaces, see:
http://mailman.icsi.berkeley.edu/pipermail/bro/2014-January/006477.html
Running bro as root is possible, but could be a security risk - the setcap
method is safer & better.
Hope this helps,
Jim
On Tue, Oct 17, 2017 at 8:25 AM, Sniper <daniel_aka_sniper_d at hotmail.com>
wrote:
> Ok so I removed eth0/1 from network connections, the ethernet connection
> so br0 has br0 slave 1 and 2 which has removed the IP addresses and is now
> using MAC addresses on eth 0/1.
>
> Now when I ping the br0 192.168.10.1 I get activity using tcpdump,
> however, when I ping hosts Attacker and Victim from eachother there is no
> activity on br0.
> Regards
> Daniel
>
>
> On 17/10/2017 14:38, Daniel wrote:
>
> Hello Jim,
>
> Thanks a lot just what I needed, trying to search for everything just
> takes up too much time.
>
> Running as root is just sudo -s then broclt right or do I need to change
> it as stated in that link you sent me?
> No tcpdump does not work against br0 but it runs agains eth0 and eth1. I
> have assigned a IP address to br0, is this even required? I tried to use
> OpenBSD to accomplish a network tap but brconfig that configures the bridge
> is not in the operating system for some reason. I gett an error saying its
> not recognised, after many hours of searching I couldn't find a solution.
>
> Linux is a pain in the backside, it takes up soo much time trying to find
> solutions to problems.
>
> This is my layout, I have put everything on the same subnet to just to get
> things started.
>
> VM ethernet adapter(my PC)
> 192.168.10.5 - no gateway
>
> Ubuntu (Bro/Bridge)
> br0 192.168.10.1 - no gateway
> eth0 192.168.10.2 - no gateway
> eth1 192.168.10.3 - no gateway
>
> Ubuntu Victim
> 192.168.10.6 - gw 192.168.10.2
>
> Linux Kali Attacker
> 192.168.10.7 - gw 192.168.10.3
>
> Regards
> Daniel
>
> On 16/10/2017 20:20, Jim Mellander wrote:
>
> Hi Daniel:
>
> Check this link for info on
>
> the bro directory structure that may help you:
> https://www.bro.org/sphinx/install/release-notes.html#script-organization
>
> As far as monitoring a bridged interface, there should be no problem, as
> long as bro can access the interface. If you're not running as root, see:
> https://www.bro.org/documentation/faq.html#how-
> can-i-capture-packets-as-an-unprivileged-user
>
> Does tcpdump provide expected output when run against br0?
>
> Hope this helps,
>
> Jim
>
>
>
>
> On Mon, Oct 16, 2017 at 9:49 AM, Sniper <daniel_aka_sniper_d at hotmail.com>
> wrote:
>
>> Hello Everyone,
>>
>> Is there reference page on all the default installation directory
>> locations are by any chance? $PREFIX just makes it a very long process
>> establishing where all the files are located. If not, I think this would
>> be excellent for beginners like me.
>>
>> Also, I have created a bridge interface that I want to monitor using
>> ubuntu/bro by connecting two hosts, for some reason I can't seem to
>> generate any logs in /usr/local/bro/logs/ (no 'current' folder when bro
>> is started as in the documentation). Is this even possible to monitor a
>> bridge interface using bro on the same host? I have already changed
>> node.cfg interface to br0.
>>
>> There are no tutorials nowhere on how to actually get started, tried to
>> follow the instructions but still no luck, ive been wasting days on
>> this. If someone could point me in the right direction i'll greatly
>> appreciate it.
>>
>> Kind regards
>>
>> Daniel
>>
>>
>>
>> ---
>> This email has been checked for viruses by Avast antivirus software.
>> https://www.avast.com/antivirus
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
>
>
>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> Virus-free.
> www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
> <#m_1024518197508363682_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171017/50acce81/attachment.html
More information about the Bro
mailing list