[Zeek] MAC Address In Logs

TQ nothinrandom at gmail.com
Tue Feb 19 20:29:04 PST 2019 

Hi Michal,

This is strange.  I went into the source folder bro-2.6.1/scripts/site/ and
changed local.bro and even rebuild again.  No MAC address in log.  However,
running your suggestion of "bro -C -r <pcap>
policy/protocols/conn/mac-logging" allows me to see MAC address in conn.log
now.  So do you know what exactly is the issue here?  Is there a way to
include MAC address in other logs such as http.log, dns.log, etc?  Thanks
for your help!

Thanks,

On Tue, Feb 19, 2019 at 6:22 PM Michał Purzyński <michalpurzynski1 at gmail.com>
wrote:

> If testing with a cluster - have you re-deployed your Zeek?
>
> "broctl deploy" needs to be run after each change to scripts and
> configuration. You can see what scripts are loaded with the "broctl
> scripts" command, so just run
>
> broctl scripts | grep mac
>
> If testing with a pcap - some scripts are not loaded by default when you
> just run zeek from the command line. You can try with
>
> bro -C -r <pcap> policy/protocols/conn/mac-logging
>
> to explicitly load this script.
>
>
>
> On Tue, Feb 19, 2019 at 5:46 PM TQ <nothinrandom at gmail.com> wrote:
>
>> Hi Chris,
>>
>> I only see these headers for conn.log:
>> #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service
>> duration orig_bytes resp_bytes conn_state local_orig local_resp
>> missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes
>> tunnel_parents
>>
>> Using the same commands I always use: sudo ./bro -C -r
>> ~/Desktop/pcap/test.pcap
>>
>> Wireshark shows MAC just fine.  I don't need to rebuild bro again,
>> right?  Just need to edit the /usr/local/bro/share/bro/site/local.bro
>> file.  The only file that shows a column for mac is the dhcp.log
>>
>> Thanks,
>>
>> On Tue, Feb 19, 2019 at 5:02 PM Chris Walsh <chris at cwalsh.org> wrote:
>>
>>> In my 2.5.3 installation, the comment above the line in question says
>>> that the MAC addrs will be logged to the conn.log file.  This is what
>>> happens for me.  From there, they can be linked to other logs via the uid
>>> field.
>>>
>>> Are you sure that your conn.log does not have the orig_l2_addr and
>>> resp_l2_addr fields?
>>>
>>> Chris
>>>
>>> > On Feb 19, 2019, at 5:38 PM, TQ <nothinrandom at gmail.com> wrote:
>>> >
>>> > Thanks for reply Michael.  So I went into
>>> /usr/local/bro/share/bro/site/local.bro and uncommented this line: @load
>>> policy/protocols/conn/mac-logging.  I reran bro and checked all log files,
>>> but none contain the MAC address.  This is running on Zeek 2.6.1.  I'm not
>>> sure what to expect (i.e. two columns for source/destination MAC?).  Maybe
>>> I'm missing another step?
>>> >
>>> > Thanks,
>>>
>>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190219/d4081089/attachment-0001.html

More information about the Zeek mailing list