Documentation and getting started.

Sniper · October 16, 2017, 4:49pm

Hello Everyone,

Is there reference page on all the default installation directory
locations are by any chance? $PREFIX just makes it a very long process
establishing where all the files are located. If not, I think this would
be excellent for beginners like me.

Also, I have created a bridge interface that I want to monitor using
ubuntu/bro by connecting two hosts, for some reason I can't seem to
generate any logs in /usr/local/bro/logs/ (no 'current' folder when bro
is started as in the documentation). Is this even possible to monitor a
bridge interface using bro on the same host? I have already changed
node.cfg interface to br0.

There are no tutorials nowhere on how to actually get started, tried to
follow the instructions but still no luck, ive been wasting days on
this. If someone could point me in the right direction i'll greatly
appreciate it.

Kind regards

Daniel

Jim_Mellander · October 16, 2017, 7:20pm

Hi Daniel:

Check this link for info on
the bro directory structure that may help you: https://www.bro.org/sphinx/install/release-notes.html#script-organization

As far as monitoring a bridged interface, there should be no problem, as long as bro can access the interface. If you’re not running as root, see: https://www.bro.org/documentation/faq.html#how-can-i-capture-packets-as-an-unprivileged-user

Does tcpdump provide expected output when run against br0?

Hope this helps,

Jim

Sniper · October 17, 2017, 1:38pm

Hello Jim,

Thanks a lot just what I needed, trying to search for everything just takes up too much time.

Running as root is just sudo -s then broclt right or do I need to change it as stated in that link you sent me?
No tcpdump does not work against br0 but it runs agains eth0 and eth1. I have assigned a IP address to br0, is this even required? I tried to use OpenBSD to accomplish a network tap but brconfig that configures the bridge is not in the operating system for some reason. I gett an error saying its not recognised, after many hours of searching I couldn’t find a solution.

Linux is a pain in the backside, it takes up soo much time trying to find solutions to problems.

This is my layout, I have put everything on the same subnet to just to get things started.

VM ethernet adapter(my PC)
192.168.10.5 - no gateway

Ubuntu (Bro/Bridge)
br0 192.168.10.1 - no gateway
eth0 192.168.10.2 - no gateway
eth1 192.168.10.3 - no gateway

Ubuntu Victim
192.168.10.6 - gw 192.168.10.2

Linux Kali Attacker
192.168.10.7 - gw 192.168.10.3

Regards
Daniel

Sniper · October 17, 2017, 3:25pm

Ok so I removed eth0/1 from network connections, the ethernet connection so br0 has br0 slave 1 and 2 which has removed the IP addresses and is now using MAC addresses on eth 0/1.

Now when I ping the br0 192.168.10.1 I get activity using tcpdump, however, when I ping hosts Attacker and Victim from eachother there is no activity on br0.

Regards
Daniel

Jim_Mellander · October 17, 2017, 8:37pm

Assuming that you’re just doing the bonding for monitoring purposes, you could also have bro monitor multiple interfaces, see: http://mailman.icsi.berkeley.edu/pipermail/bro/2014-January/006477.html

Running bro as root is possible, but could be a security risk - the setcap method is safer & better.

Hope this helps,

Jim

Topic		Replies	Views
New Cluster configuration Zeek	4	73	May 6, 2022
help required in logs with bro Zeek	6	71	May 6, 2022
Urgent, plz Help me Zeek	2	70	May 6, 2022
Interface bonding w/ Bro 1.5.1 Zeek	7	74	May 6, 2022
On Bro's configuration file Zeek	1	145	May 6, 2022

Documentation and getting started.

Related topics