Discovering known_hosts outside the network segment we are analyzing

Zeek
1

Dear all,

As I started playing around with bro, I noticed the ability to identify known_hosts in the network.

My problem is that I need to identify hosts that are NOT part of my networks.cfg:
root@local-bro:~# cat /usr/local/bro/etc/networks.cfg

List of local networks in CIDR notation, optionally followed by a

descriptive tag.

For example, “10.0.0.0/8” or “fe80::/64” are valid prefixes.

192.168.1.0/24 Private IP space
root@local-bro:~#

The default networks.cfg had multiple networks but, what I want to do is detect what “invalid” traffic is flowing in the network (e.g. machines in a 192.168.0.0/24 segment, sending out packets in my 192.168.1.0/24 network).

Here’s my use case:

  • I install a routing / sniffing appliance between the router and the existing local network (192.168.0.0/24) so I can sniff the traffic with bro

  • My appliance changes the network segment for the internal network to something else (e.g. 192.168.1.0/24) and starts serving addresses in that range using dhcp

– all dynamically configured devices setup with the new address

– but then I discover that there were some devices in the previous network that had static ip addresses in the 192.168.0.0/24 range, so they stop working

What I would LIKE to do is have bro detect the “orphaned” 192.168.0.0/24 nodes in the known_hosts, even though my network is now 192.168.1.0/24.

I could do this by externally sniffing for arp requests but I would really like to do it through bro…

Is the solution to specify all internal reserved ranges in networks.cfg?
192.168.0.0/16
10.0.0.0/8

Is this good practice? And is there a better approach to achieve what I need?

Thank you,
Luis

2

Are you thinking of something along the lines of:

redef Known::host_tracking = ALL_HOSTS;

(see https://www.bro.org/sphinx/scripts/policy/protocols/conn/known-hosts.bro.html)

This should record ALL observed hosts in the known_hosts file.

v/r John

3

Ah, yes! This seems to be exactly what I was looking for!

Let me ask you something else though, what is the best practice to set that variable without changing the base known-hosts.bro script? (as I was reading the documentation yesterday, it said we should avoid making changes to the base scripts).

Do I set that global parameter somewhere in a config file OR should I copy the known-hosts.bro script to my site/ directory and change it there?

p.s. this is probably a VERY stupid question but I’m brand new to bro (less then 24h), so I’m still trying to figure out how to properly use it :o)

Thank you,
Luis

4

Just add the redef line to somewhere in your local site config. No need to change things anywhere else.