Hi,
I am using bro internally on a network that uses dhcp to assign ip addresses so if I want to investigate something that happened yesterday then doing a nslookup today wont tell me what host it was assigned to at the time the log was created. So is there a way to do an nslookup at the time of log creation and add it to the logs?
I did some googling and found a reference to extending the log format and running scripts but it wasn’t enough for me to figure it out.
Thanks,
Keith
The only way I know to do a lookup (someone please chime in), is using when(), something like this, which I stole from urls.bro originally:
when(local m_addrs = lookup_hostname(m_no_scheme)){
for(m_addr in m_addrs){
if(m_addr != 0.0.0.0){
}
}
}
However, I’d heavily caution you against doing that every time a log writes. For one, it’s extremely expensive. Second, the when() call spawns a separate process, so if it works at all, you’d need to somehow delay your log writes while that field populates.
Just thinking out loud, if your DHCP pool isn’t too huge, you could do the lookups on some interval and just populate a table that you reference later. Not perfect, but close.
I’d probably just recommend having the DHCP logs pushed to the same SIEM as my Bro data.
-Dop
However, I'd heavily caution you against doing that every time a log writes. For one, it's extremely expensive. Second, the when() call spawns a separate process, so if it works at all, you'd need to somehow delay your log writes while that field populates.
Yeah this would not work that well in practice.
Just thinking out loud, if your DHCP pool isn't too huge, you could do the lookups on some interval and just populate a table that you reference later. Not perfect, but close.
I was thinking exactly this. You just need some tool written in any language to output a file like
#fields ip name
10.0.0.1 boxone
10.0.0.2 otherbox
10.0.0.3 thirdbox
(with tabs and not spaces) and then bro can load that into a table[addr] of string; and you can reference it as often as you need.
Just thinking out loud, if your DHCP pool isn't too huge, you could do the lookups on some interval and just populate a table that you reference later. Not perfect, but close.
I was thinking exactly this. You just need some tool written in any language to output a file like
#fields ip name
10.0.0.1 boxone
10.0.0.2 otherbox
10.0.0.3 thirdbox(with tabs and not spaces) and then bro can load that into a table[addr] of string; and you can reference it as often as you need.
Another idea: If you monitor the DHCP traffic with Bro as well, wouldn't it be possible to react on new leases, do the lookup using "when" and store that info in the table?
Jan
Yes.. if bro saw the DHCP traffic it could do this directly. There are some other challenges with that approach, like what happens when bro first starts up and it hasn't seen any dhcp traffic yet. If the lease times are long it could be a while before it has any data.
Just FWIW, if you like/use Python. The BroThon package will automatically tail any Bro IDS log and then you can use the nice set of python modules to do nslookup and whatever else (dump file, etc). https://github.com/Kitware/BroThon
This approach ‘offloads’ work from Bro IDS (which should stay focused on high performance network packet processing).
Code Example:
In [1]: from brothon import bro_log_reader
In [2]: bro_log = bro_log_reader.BroLogReader(’/path/to/bro/dhcp.log’, tail=True)
In [3]: for row in bro_log.readrows():
…: # Do whatever you want with dhcp fields here (socket module/nslookup module/etc)
…: print(row[‘assigned_ip’], row[‘mac’])
Output:
Successfully monitoring /Users/briford/work/BroThon/data/dhcp.log…
192.168.33.10 00:20:18:eb:ca:21
192.168.33.11 46:22:28:b6:a3:24
Hi Mike,
Thanks for the info. I would like to do a load test as the box is pretty beefy and doesn’t see a lot of traffic (2000 logs per minute). What file would I be editing to add the below code segment?
Thanks!
Keith
Ps currently dhcp and bro logs do go to the Splunk.