[Zeek] MAC Address In Logs

TQ nothinrandom at gmail.com
Tue Feb 19 21:14:45 PST 2019 

I did install bro using "sudo ./configure && sudo make && sudo make
install", but still no MAC address unless I force loading like you
suggested.  I have a special use case where I need MAC address on every
single custom script log, so I peeked into
/usr/local/bro/share/bro/policy/protocols/conn/mac-logging.bro and noticed
that I just needed to add these into the record:

## Link-layer address of the originator, if available.
orig_l2_addr: string &log &optional;
## Link-layer address of the responder, if available.
resp_l2_addr: string &log &optional;

and these into the events:
if ( c$orig?$l2_addr )
c$conn$orig_l2_addr = c$orig$l2_addr;

if ( c$resp?$l2_addr )
c$conn$resp_l2_addr = c$resp$l2_addr;

Everything is working great now.  Thanks all for the help!

On Tue, Feb 19, 2019 at 8:45 PM Michał Purzyński <michalpurzynski1 at gmail.com>
wrote:

> It's what I said already.
>
> Running Bro without installation, from the command line, does not load the
> local.bro. The mac-addr script, when loaded manually, will add your MAC
> address to the conn.log and nowhere else. Frankly, there is no need for
> that as you usually pivot between various log files.
>
>
> On Tue, Feb 19, 2019 at 8:29 PM TQ <nothinrandom at gmail.com> wrote:
>
>> Hi Michal,
>>
>> This is strange.  I went into the source folder bro-2.6.1/scripts/site/
>> and changed local.bro and even rebuild again.  No MAC address in log.
>> However, running your suggestion of "bro -C -r <pcap>
>> policy/protocols/conn/mac-logging" allows me to see MAC address in conn.log
>> now.  So do you know what exactly is the issue here?  Is there a way to
>> include MAC address in other logs such as http.log, dns.log, etc?  Thanks
>> for your help!
>>
>> Thanks,
>>
>> On Tue, Feb 19, 2019 at 6:22 PM Michał Purzyński <
>> michalpurzynski1 at gmail.com> wrote:
>>
>>> If testing with a cluster - have you re-deployed your Zeek?
>>>
>>> "broctl deploy" needs to be run after each change to scripts and
>>> configuration. You can see what scripts are loaded with the "broctl
>>> scripts" command, so just run
>>>
>>> broctl scripts | grep mac
>>>
>>> If testing with a pcap - some scripts are not loaded by default when you
>>> just run zeek from the command line. You can try with
>>>
>>> bro -C -r <pcap> policy/protocols/conn/mac-logging
>>>
>>> to explicitly load this script.
>>>
>>>
>>>
>>> On Tue, Feb 19, 2019 at 5:46 PM TQ <nothinrandom at gmail.com> wrote:
>>>
>>>> Hi Chris,
>>>>
>>>> I only see these headers for conn.log:
>>>> #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service
>>>> duration orig_bytes resp_bytes conn_state local_orig local_resp
>>>> missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes
>>>> tunnel_parents
>>>>
>>>> Using the same commands I always use: sudo ./bro -C -r
>>>> ~/Desktop/pcap/test.pcap
>>>>
>>>> Wireshark shows MAC just fine.  I don't need to rebuild bro again,
>>>> right?  Just need to edit the /usr/local/bro/share/bro/site/local.bro
>>>> file.  The only file that shows a column for mac is the dhcp.log
>>>>
>>>> Thanks,
>>>>
>>>> On Tue, Feb 19, 2019 at 5:02 PM Chris Walsh <chris at cwalsh.org> wrote:
>>>>
>>>>> In my 2.5.3 installation, the comment above the line in question says
>>>>> that the MAC addrs will be logged to the conn.log file.  This is what
>>>>> happens for me.  From there, they can be linked to other logs via the uid
>>>>> field.
>>>>>
>>>>> Are you sure that your conn.log does not have the orig_l2_addr and
>>>>> resp_l2_addr fields?
>>>>>
>>>>> Chris
>>>>>
>>>>> > On Feb 19, 2019, at 5:38 PM, TQ <nothinrandom at gmail.com> wrote:
>>>>> >
>>>>> > Thanks for reply Michael.  So I went into
>>>>> /usr/local/bro/share/bro/site/local.bro and uncommented this line: @load
>>>>> policy/protocols/conn/mac-logging.  I reran bro and checked all log files,
>>>>> but none contain the MAC address.  This is running on Zeek 2.6.1.  I'm not
>>>>> sure what to expect (i.e. two columns for source/destination MAC?).  Maybe
>>>>> I'm missing another step?
>>>>> >
>>>>> > Thanks,
>>>>>
>>>>> _______________________________________________
>>>> Zeek mailing list
>>>> zeek at zeek.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190219/901d37e7/attachment.html

More information about the Zeek mailing list