[Bro] Fwd: Other log files besides conn.log
Jim Mellander
jmellander at lbl.gov
Tue Oct 17 15:55:46 PDT 2017
Hi Therenca:
You could add this to local.bro:
@load policy/protocols/conn/mac-logging
However, unless you're actually directly monitoring inside the border of a
subnet, the host MAC address will not be seen, but the MAC addresses of the
routers, so this may not be too useful.
Depending on your network topology, dhcp.log might have some information on
the mapping. You could also check your DHCP server's logs, which should
have the information you need.
Hope this helps,
Jim
On Tue, Oct 17, 2017 at 7:34 AM, Therenca Mureithi <
therencamureithi at gmail.com> wrote:
>
> ---------- Forwarded message ----------
> From: Therenca Mureithi <therencamureithi at gmail.com>
> Date: Tue, Oct 17, 2017 at 5:30 PM
> Subject: Other log files besides conn.log
> To: bro at bro.org
>
>
> Is there a way to add mac address to log files like http.log, ssl.log,
> ssh.log, especially when the ip addresses are dynamic. I have been able to
> add mac address to the conn.log file following bro related threads. I am
> not skilled at bro scripting but i would very much like to have this
> functionality. Why? Due to the fact that i want to track down users of the
> network and at one point their ip addresses do change, however rarely do
> mac address change unless ofcourse you have spoofed it. Kindly reply.
> Anyone.
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171017/2e0b397f/attachment.html
More information about the Bro
mailing list