I have a use case where I would like to monitor for certain MAC addresses in use. I took a look at the Intel framework and it doesn’t seem to have a type that can handle this. Has anybody else encountered a similar scenario in the past?
The list will be ever-evolving and so I would like to be able to modify it without having to restart my cluster (hence considering the Intel framework). I did find this thread, and if I have to, I will just write a script that uses known_devices. Thanks,
Jon
Maybe using this? Might work better than using Intel feeds.
https://github.com/evernote/bro-scripts/blob/master/bolo/scripts/main.bro
Patrick Kelley, CISSP
The limit to which you have accepted being comfortable is the limit to which you have grown. Accept new challenges as an opportunity to enrich yourself and not as a point of potential failure.
I have a use case where I would like to monitor for certain MAC addresses
in use. I took a look at the Intel framework
<https://www.bro.org/sphinx-git/scripts/base/frameworks/intel/main.bro.html#type-Intel::Type>
and
it doesn't seem to have a type that can handle this. Has anybody else
encountered a similar scenario in the past?
I theory it should be possible to redef Intel::Type and add a type for
MAC addresses as they are treated as strings by Bro anyway.
I did find this thread
<http://mailman.icsi.berkeley.edu/pipermail/bro/2015-July/008819.html>, and
if I have to, I will just write a script that uses known_devices.
Bro 2.5 will support logging of MAC addresses (see
https://github.com/bro/bro/blob/master/scripts/site/local.bro#L98).
Enabling this you would just have to add a seen script like the
conn-established.bro script.
Jan
Very helpful, thank you both.
Jon