[Zeek] MAC Address In Logs
TQ
nothinrandom at gmail.com
Tue Feb 19 20:29:04 PST 2019
Hi Michal,
This is strange. I went into the source folder bro-2.6.1/scripts/site/ and
changed local.bro and even rebuild again. No MAC address in log. However,
running your suggestion of "bro -C -r <pcap>
policy/protocols/conn/mac-logging" allows me to see MAC address in conn.log
now. So do you know what exactly is the issue here? Is there a way to
include MAC address in other logs such as http.log, dns.log, etc? Thanks
for your help!
Thanks,
On Tue, Feb 19, 2019 at 6:22 PM Michał Purzyński <michalpurzynski1 at gmail.com>
wrote:
> If testing with a cluster - have you re-deployed your Zeek?
>
> "broctl deploy" needs to be run after each change to scripts and
> configuration. You can see what scripts are loaded with the "broctl
> scripts" command, so just run
>
> broctl scripts | grep mac
>
> If testing with a pcap - some scripts are not loaded by default when you
> just run zeek from the command line. You can try with
>
> bro -C -r <pcap> policy/protocols/conn/mac-logging
>
> to explicitly load this script.
>
>
>
> On Tue, Feb 19, 2019 at 5:46 PM TQ <nothinrandom at gmail.com> wrote:
>
>> Hi Chris,
>>
>> I only see these headers for conn.log:
>> #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service
>> duration orig_bytes resp_bytes conn_state local_orig local_resp
>> missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes
>> tunnel_parents
>>
>> Using the same commands I always use: sudo ./bro -C -r
>> ~/Desktop/pcap/test.pcap
>>
>> Wireshark shows MAC just fine. I don't need to rebuild bro again,
>> right? Just need to edit the /usr/local/bro/share/bro/site/local.bro
>> file. The only file that shows a column for mac is the dhcp.log
>>
>> Thanks,
>>
>> On Tue, Feb 19, 2019 at 5:02 PM Chris Walsh <chris at cwalsh.org> wrote:
>>
>>> In my 2.5.3 installation, the comment above the line in question says
>>> that the MAC addrs will be logged to the conn.log file. This is what
>>> happens for me. From there, they can be linked to other logs via the uid
>>> field.
>>>
>>> Are you sure that your conn.log does not have the orig_l2_addr and
>>> resp_l2_addr fields?
>>>
>>> Chris
>>>
>>> > On Feb 19, 2019, at 5:38 PM, TQ <nothinrandom at gmail.com> wrote:
>>> >
>>> > Thanks for reply Michael. So I went into
>>> /usr/local/bro/share/bro/site/local.bro and uncommented this line: @load
>>> policy/protocols/conn/mac-logging. I reran bro and checked all log files,
>>> but none contain the MAC address. This is running on Zeek 2.6.1. I'm not
>>> sure what to expect (i.e. two columns for source/destination MAC?). Maybe
>>> I'm missing another step?
>>> >
>>> > Thanks,
>>>
>>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190219/d4081089/attachment-0001.html
More information about the Zeek
mailing list