[Bro] Bro MITM Detection
Patrick Copeland
ptcnop at gmail.com
Mon Sep 25 06:55:26 PDT 2017
Hello,
I have a question about Bro MITM detection. Here's the general scenario I'm
curious about:
Bro sensor is fed off switch SPAN port. Adversary has MITM on LAN using ARP
cache poisoning with the goal of modifying responses. From packet capture
you see that for every request, there are two responses (1)
server->adversary (good) and (2) adversary->host (bad). The modified packet
is identical except that it has a different src mac addr and the
application layer has been modified.
Right now Bro is parsing the original response but is ignoring the modified
response. I can’t find anything in weird.log / notice.log to know that it
is processing the second packet at all.
Questions:
- Would you expect Bro to parse and log both good resp and the modified bad
resp?
- Is it application layer dependent?
- Any thoughts about how switch SPAN configuration might affect Bro output?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170925/668b51aa/attachment.html
More information about the Bro
mailing list