Dear all,
As I started playing around with bro, I noticed the ability to identify known_hosts in the network.
My problem is that I need to identify hosts that are NOT part of my networks.cfg:
root@local-bro:~# cat /usr/local/bro/etc/networks.cfg
List of local networks in CIDR notation, optionally followed by a
descriptive tag.
For example, “10.0.0.0/8” or “fe80::/64” are valid prefixes.
192.168.1.0/24 Private IP space
root@local-bro:~#
The default networks.cfg had multiple networks but, what I want to do is detect what “invalid” traffic is flowing in the network (e.g. machines in a 192.168.0.0/24 segment, sending out packets in my 192.168.1.0/24 network).
Here’s my use case:
-
I install a routing / sniffing appliance between the router and the existing local network (192.168.0.0/24) so I can sniff the traffic with bro
-
My appliance changes the network segment for the internal network to something else (e.g. 192.168.1.0/24) and starts serving addresses in that range using dhcp
– all dynamically configured devices setup with the new address
– but then I discover that there were some devices in the previous network that had static ip addresses in the 192.168.0.0/24 range, so they stop working
What I would LIKE to do is have bro detect the “orphaned” 192.168.0.0/24 nodes in the known_hosts, even though my network is now 192.168.1.0/24.
I could do this by externally sniffing for arp requests but I would really like to do it through bro…
Is the solution to specify all internal reserved ranges in networks.cfg?
192.168.0.0/16
10.0.0.0/8
…
Is this good practice? And is there a better approach to achieve what I need?
Thank you,
Luis