[Zeek] MAC Address In Logs

Michał Purzyński michalpurzynski1 at gmail.com
Tue Feb 19 20:45:20 PST 2019 

It's what I said already.

Running Bro without installation, from the command line, does not load the
local.bro. The mac-addr script, when loaded manually, will add your MAC
address to the conn.log and nowhere else. Frankly, there is no need for
that as you usually pivot between various log files.


On Tue, Feb 19, 2019 at 8:29 PM TQ <nothinrandom at gmail.com> wrote:

> Hi Michal,
>
> This is strange.  I went into the source folder bro-2.6.1/scripts/site/
> and changed local.bro and even rebuild again.  No MAC address in log.
> However, running your suggestion of "bro -C -r <pcap>
> policy/protocols/conn/mac-logging" allows me to see MAC address in conn.log
> now.  So do you know what exactly is the issue here?  Is there a way to
> include MAC address in other logs such as http.log, dns.log, etc?  Thanks
> for your help!
>
> Thanks,
>
> On Tue, Feb 19, 2019 at 6:22 PM Michał Purzyński <
> michalpurzynski1 at gmail.com> wrote:
>
>> If testing with a cluster - have you re-deployed your Zeek?
>>
>> "broctl deploy" needs to be run after each change to scripts and
>> configuration. You can see what scripts are loaded with the "broctl
>> scripts" command, so just run
>>
>> broctl scripts | grep mac
>>
>> If testing with a pcap - some scripts are not loaded by default when you
>> just run zeek from the command line. You can try with
>>
>> bro -C -r <pcap> policy/protocols/conn/mac-logging
>>
>> to explicitly load this script.
>>
>>
>>
>> On Tue, Feb 19, 2019 at 5:46 PM TQ <nothinrandom at gmail.com> wrote:
>>
>>> Hi Chris,
>>>
>>> I only see these headers for conn.log:
>>> #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service
>>> duration orig_bytes resp_bytes conn_state local_orig local_resp
>>> missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes
>>> tunnel_parents
>>>
>>> Using the same commands I always use: sudo ./bro -C -r
>>> ~/Desktop/pcap/test.pcap
>>>
>>> Wireshark shows MAC just fine.  I don't need to rebuild bro again,
>>> right?  Just need to edit the /usr/local/bro/share/bro/site/local.bro
>>> file.  The only file that shows a column for mac is the dhcp.log
>>>
>>> Thanks,
>>>
>>> On Tue, Feb 19, 2019 at 5:02 PM Chris Walsh <chris at cwalsh.org> wrote:
>>>
>>>> In my 2.5.3 installation, the comment above the line in question says
>>>> that the MAC addrs will be logged to the conn.log file.  This is what
>>>> happens for me.  From there, they can be linked to other logs via the uid
>>>> field.
>>>>
>>>> Are you sure that your conn.log does not have the orig_l2_addr and
>>>> resp_l2_addr fields?
>>>>
>>>> Chris
>>>>
>>>> > On Feb 19, 2019, at 5:38 PM, TQ <nothinrandom at gmail.com> wrote:
>>>> >
>>>> > Thanks for reply Michael.  So I went into
>>>> /usr/local/bro/share/bro/site/local.bro and uncommented this line: @load
>>>> policy/protocols/conn/mac-logging.  I reran bro and checked all log files,
>>>> but none contain the MAC address.  This is running on Zeek 2.6.1.  I'm not
>>>> sure what to expect (i.e. two columns for source/destination MAC?).  Maybe
>>>> I'm missing another step?
>>>> >
>>>> > Thanks,
>>>>
>>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190219/ecbc7b7f/attachment.html

More information about the Zeek mailing list