[Bro] Bro Digest, Vol 152, Issue 15

Philip Romero promero at cenic.org
Mon Dec 17 10:11:23 PST 2018 

Sam,

I'm not sure if you got what you were looking for or if this input of
mine will help, but I use the "worker" tag to help me identify which
interface the logged event was seen on. The events in the conn log show
the worker name for the event seen when logging. There is also a unique
number for each process so in the below node.cfg example the logs would
include a field that states "worker-1-1", "worker-1-2", "worker-2-1", or
"worker-2-2". When I see worker-1 in the log I know it was seen on eth1
and when I see worker-2 in the log I know it was seen on eth2.

Hope this helped.

Example node.cfg:
[manager]
type=manager
host=localhost
#
[proxy-1]
type=proxy
host=localhost
#
[worker-1]
lb_method=pf_ring
lb_procs=2
pin_cpus=0,1
type=worker
host=localhost
interface=eth1
#
[worker-2]
lb_method=pf_ring
lb_procs=2
pin_cpus=2,3
type=worker
host=localhost
interface=eth2

On 12/14/18 9:03 AM, bro-request at bro.org wrote:
> Send Bro mailing list submissions to
> 	bro at bro.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> or, via email, send a message with subject or body 'help' to
> 	bro-request at bro.org
>
> You can reach the person managing the list at
> 	bro-owner at bro.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Bro digest..."
>
>
> Today's Topics:
>
>    1. Re: Bro logs - enable_local_logging and remove_default_filter
>       (Johanna Amann)
>    2. Re: Stripping SSL on network level (Johanna Amann)
>    3. Re: Stripping SSL on network level (Micha? Purzy?ski)
>    4. Zeek monitoring (Micha? Purzy?ski)
>    5. Adding interface to bro logs (Samual Barker)
>    6. Re: Adding interface to bro logs (Eric Ooi)
>
>
> ------------------------------
>
> Message: 5
> Date: Fri, 14 Dec 2018 10:11:06 +0000
> From: Samual Barker <sbarker at nettitude.com>
> Subject: [Bro] Adding interface to bro logs
> To: "bro at bro.org" <bro at bro.org>
> Message-ID: <7b5c0455f98c426c8f1c01e5f6d6fedb at nettitude.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi
>
>
> Does anyone know how to add the name of the interface Bro is listening on to the logs? I currently have a server listening on multiple interfaces and would be useful to have the interface logged so that I can retrieve the pcap for any event more easily
>
>
> Many thanks
>
> Sam
>
-- 
Philip Romero, CISSP, CISA
Sr. Information Security Analyst
CENIC
promero at cenic.org
Phone: (714) 220-3430
Mobile: (562) 237-9290

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181217/45d42655/attachment.html

More information about the Bro mailing list