Is there a way to include MAC address in all of the logs or custom written logs? I saw the documentation (https://docs.zeek.org/en/latest/scripts/policy/protocols/conn/mac-logging.bro.html), but didn’t see any MAC addresses even though I could see them in Wireshark.
Thanks,
You need to add the following to your local.bro script to enable it,
as it is not on by default:
@load policy/protocols/conn/mac-logging
Thanks for reply Michael. So I went into /usr/local/bro/share/bro/site/local.bro and uncommented this line: @load policy/protocols/conn/mac-logging. I reran bro and checked all log files, but none contain the MAC address. This is running on Zeek 2.6.1. I’m not sure what to expect (i.e. two columns for source/destination MAC?). Maybe I’m missing another step?
Thanks,
In my 2.5.3 installation, the comment above the line in question says that the MAC addrs will be logged to the conn.log file. This is what happens for me. From there, they can be linked to other logs via the uid field.
Are you sure that your conn.log does not have the orig_l2_addr and resp_l2_addr fields?
Chris
Hi Chris,
I only see these headers for conn.log:
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
Using the same commands I always use: sudo ./bro -C -r ~/Desktop/pcap/test.pcap
Wireshark shows MAC just fine. I don’t need to rebuild bro again, right? Just need to edit the /usr/local/bro/share/bro/site/local.bro file. The only file that shows a column for mac is the dhcp.log
Thanks,
If testing with a cluster - have you re-deployed your Zeek?
“broctl deploy” needs to be run after each change to scripts and configuration. You can see what scripts are loaded with the “broctl scripts” command, so just run
broctl scripts | grep mac
If testing with a pcap - some scripts are not loaded by default when you just run zeek from the command line. You can try with
bro -C -r policy/protocols/conn/mac-logging
to explicitly load this script.
Hi Michal,
This is strange. I went into the source folder bro-2.6.1/scripts/site/ and changed local.bro and even rebuild again. No MAC address in log. However, running your suggestion of “bro -C -r policy/protocols/conn/mac-logging” allows me to see MAC address in conn.log now. So do you know what exactly is the issue here? Is there a way to include MAC address in other logs such as http.log, dns.log, etc? Thanks for your help!
Thanks,
It’s what I said already.
Running Bro without installation, from the command line, does not load the local.bro. The mac-addr script, when loaded manually, will add your MAC address to the conn.log and nowhere else. Frankly, there is no need for that as you usually pivot between various log files.
I did install bro using “sudo ./configure && sudo make && sudo make install”, but still no MAC address unless I force loading like you suggested. I have a special use case where I need MAC address on every single custom script log, so I peeked into /usr/local/bro/share/bro/policy/protocols/conn/mac-logging.bro and noticed that I just needed to add these into the record:
orig_l2_addr: string &log &optional;
resp_l2_addr: string &log &optional;
and these into the events:
if ( c$orig?$l2_addr )
c$conn$orig_l2_addr = c$orig$l2_addr;
if ( c$resp?$l2_addr )
c$conn$resp_l2_addr = c$resp$l2_addr;
Everything is working great now. Thanks all for the help!