[Bro] PCAP help

Thu Apr 19 08:57:01 PDT 2018

It is advised to not monitor the same network you use to connect to
the Bro sensor, but you can ignore all of the traffic involving the
Bro sensor with bpf filter by adding the following to your local.bro:

redef cmd_line_bpf_filter = "not (host BROIPADDRESS)";


On Thu, Apr 19, 2018 at 11:07 AM, Charles Mckee
<charles.mckee at decisivedge.com> wrote:
> Hello
>
> At this time bro is monitoring all traffic, inbound and outbound. We want to
> filter all of it's own traffic, So if it is em0. We do not want to see any
> of bro own traffic.
>
> Are the present time it is just basically out the box at this point. I am
> trying to configure it do that we see no traffic from itself.
>
> Respectfully Yours
> Charles McKee
>
> DecisivEdge, LLC
> O:  302.299.1570 x432  |  C:  302.320.6968  |  F:  302.299.1578
> 131 Continental Dr |  Suite 409  |  Newark, DE 19713
> charles.mckee at decisivedge.com  |  www.DecisivEdge.com
>
> -----Original Message-----
> From: Michael Shirk [mailto:shirkdog.bsd at gmail.com]
> Sent: Thursday, April 19, 2018 11:02 AM
> To: Charles Mckee <charles.mckee at decisivedge.com>
> Cc: bro <bro at bro.org>
> Subject: Re: [Bro] PCAP help
>
> So what interface is Bro monitoring? and have you configured your
> networks.cfg? Need some more details on what traffic you are having issues
> splitting out.
>
> On Thu, Apr 19, 2018 at 10:18 AM, Charles Mckee
> <charles.mckee at decisivedge.com> wrote:
>> Hello Bro Team,
>>
>> I need some help with PCAP.
>>
>>
>>
>> We noticed when using Bro we see local host traffic.
>>
>>
>>
>> We want to segment Bro's traffic from the other traffic on a continual
>> basis.
>>
>>
>>
>> We cannot find any information on the net how to do this, so now I
>> must reach out to you.
>>
>>
>>
>> All traffic inbound comes into Bro and at that point we need to all of
>> its own traffic segmented away somewhere.
>>
>>
>>
>> Can you help me ?
>>
>>
>>
>> Can you please send explicit directions for this.
>>
>>
>>
>>
>>
>> Respectfully Yours
>>
>> Charles McKee
>>
>>
>>
>> DecisivEdge, LLC
>>
>> O:  302.299.1570 x432  |  C:  302.320.6968  |  F:  302.299.1578
>>
>> 131 Continental Dr |  Suite 409  |  Newark, DE 19713
>>
>> charles.mckee at decisivedge.com  |  www.DecisivEdge.com
>>
>>
>>
>>
>> ________________________________
>>
>> This email and any files transmitted with it are considered privileged
>> and confidential unless otherwise explicitly stated otherwise. If you
>> are not the intended recipient you are notified that disclosing,
>> copying, distributing or taking any action in reliance on the contents
>> of this information is strictly prohibited. All email data and
>> contents may be monitored to ensure that their use is authorized, for
>> management of the system, to facilitate protection against
>> unauthorized use, and to verify security procedures, survivability and
>> operational security. Under no circumstance should the user of this
>> email have an expectation of privacy for this correspondence.
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
> --
> Michael Shirk
> Daemon Security, Inc.
> http://www.daemon-security.com
>
> --
> This email and any files transmitted with it are considered privileged and
> confidential unless otherwise explicitly stated otherwise. If you are not
> the intended recipient you are notified that disclosing, copying,
> distributing or taking any action in reliance on the contents of this
> information is strictly prohibited. All email data and contents may be
> monitored to ensure that their use is authorized, for management of the
> system, to facilitate protection against unauthorized use, and to verify
> security procedures, survivability and operational security. Under no
> circumstance should the user of this email have an expectation of privacy
> for this correspondence.


-- 
Michael Shirk
Daemon Security, Inc.
https://www.daemon-security.com