BRO IDS

Hi All,

I have installed bro ids for network security monitoring ,am trying to match the ip address of threats feeds with ip address in bro logs.But am getting only multicast 224.0.0.251 239.255.255.250 and not the actual destination ip .How to get the exact ip address in BRO logs.

Any help would be really helpful

Thanks,

I think that entirely depends upon the placement of the sniffing points. If you sniff on a network without placing at an egress or ingress point, you will see multicast/broadcast traffic that you happen to see, but not much more of interest.

Is your sniffing interface placed well to monitor traffic of interest to you? What spanning/mirroring technology are you using?

Thank you very much for the reply.
I just installed the bro in my linux machine and i edited node.cfg

[bro]
type=standalone
host=localhost
interface=eth0
broargs= -i wlan0

thats it :slight_smile:

Please do let me know ,what has to be done.

image.png

I’m a bit confused about the broargs setting. Are you intending to sniff traffic on wlan0 or eth0? Depending upon your need and specific hardware, your wlan interface may or may not be able to be put into promiscuous mode, and if not associated with an access point it will probably receive no meaningful traffic except what the host system is generating itself.

I would suggest removing the broargs setting and sniff on eth0 as a test. You could then send your NSM some meaningful traffic (SMB, ssh, ping) and see if your configuration will logs this traffic as it should be seen. Given that, you can expand into placing that interface on a span of more interesting traffic (like egress point, inside interface of a proxy, or inside interface of a DNS server).

image.png

Thank you very much for valuable suggestion ,I will remove broargs settings,if we want to sniff both the interfaces like wlan0 and eth0 is it possible ?

image.png

image.png

It may be possible to sniff a wireless interface, but that depends on quite a few variables like the hardware being used. You also must associate with an access point to sniff the data effectively (I’ve personally done it on many occasions).

It is possible to sniff wireless effectively using Kismet, or airodump-ng. In both cases you can create logs or packet captures from the tool and those may be read into Bro directly.

Keep in mind that any sniffing of wireless traffic on a wireless network where you are the client will yield interesting data but not all the packets you may be concerned about. It may be more effective to mirror the ethernet interfaces on access points and send that traffic to your Bro NSM. You can do that with taps/spans/or more fancy tools.

image.png