Is there any way to glean layer 2 information from bro? Or maybe a reliable means of correlating IPs to hostnames?
We are running into issues where dynamic IP addressing is severely hindering the ability to track behavior identified by analysis of bro logs.
Thanks for the help!
Is there any way to glean layer 2 information from bro? Or maybe a reliable
means of correlating IPs to hostnames?
Bro 2.5 (beta2 available) will support logging of MAC addresses:
This may not help solve the problem you’re having but just FYI Bro 2.5 also logs VLAN ID’s now, from the new functionality section at the link below:
“Bro now tracks VLAN IDs. To record them inside the connection log, load protocols/conn/vlan-logging.bro.”