Dear all,
I would like to change the known-hosts.bro script to log both the ip and macaddr for all known hosts in my network.
What are the best practices for customizing scripts that ship with bro (e.g. distributed in the /usr/share/bro/* directory)?
Am I supposed to just:
copy the script I want to customize to my share/bro/site/
and change local.bro to load the script in share/bro/site/ instead of share/bro/policy/protocols/conn/known-hosts.bro?
Thank you,
Luis
I would like to change the known-hosts.bro script to log both the ip and macaddr for all known hosts in my network.
Are you collecting mac addresses from the DHCP analyzer?
What are the best practices for customizing scripts that ship with bro (e.g. distributed in the /usr/share/bro/* directory)?
Am I supposed to just:
- copy the script I want to customize to my share/bro/site/
- and change local.bro to load the script in share/bro/site/ instead of share/bro/policy/protocols/conn/known-hosts.bro?
That’s probably the best option. At the very least, if you’re loading the one out of your site directory you won’t have to worry about interfering with the one in the policy directory.
.Seth
I haven’t given that much thought about how I’m going to capture the mac addr right now. :o)
My first concern was to understand what are the best practices to customize an existing stock script.
For instance, I don’t know if it is possible to overload / extend other script’s functions? If so, I’m interested in that, seeing as I do not want to replace / customize ALL script functionality.
Originally, I had thought about running an arp query of some sort (maybe calling out an external script, which I’m guessing should be possible?) to figure out what the mac is for each local ip addr. Is there a more elegant / scalable way to do it?
Thank you,
Luis
…by the way, I should have said this in my previous email…
I do not think I can simply look at the DHCP info, seeing that some of the hosts in my network MIGHT have statically defined ip addresses. The known-hosts script looks at src and dest ip addrs to figure out who’s out there, right?
Thanks,
Luis