Newb with a couple questions

Hey all!

I am wondering how to filter protocols from the conn.log? I've been looking at:

http://www.bro.org/documentation/logging.html#filtering

But that seems to point to filtering columns, and not protocols. Thanks for any insight.

James

Depending on what you are trying to accomplish, you can filter the
data by protocol after it's been written to the conn.log file with
bro-cut or awk.

-Anthony

Hi Anthony,

Ideally the protocols would be dropped before logging. I already have dns and http logging using Bro, so seeing them in the connections log seems a tad redundant. Thanks for the quick response.

James

I wrote a blog post about log filtering a while ago that should help you out:
  http://blog.bro.org/2012/02/filtering-logs-with-bro.html

Does that help?

  .Seth

I would not call the conn log redundant. The http and conn log are very different and have different data in them. Rather they complement each other.

-Mike

A fair point. And I'll give that a go Seth thank you…gonna be busy the rest of this week, so I'll report my results on Monday. Thanks for the assistance all.

James

And very much needed if there is a comprise on the network.

Ron Jenkins (SnortCP,VCP 3 / 4,MCNE,MCPS,MCNPS,CCNA)
RMJ Consulting, LLC.
"Bringing Companies and Solutions Together"
Owner / Senior Architect
Physical Address
11715 Bricksome Ave STE B-7
Baton Rouge, LA 70816
Mail Address
7575 Jefferson Hwy #103
Baton Rouge, LA 70806
Toll. 855-448-5214
Direct. 225-448-5214
Fax. 225-448-5324
Cell. 225-931-1632
Email. rjenkins@rmjconsulting.net
Web. http://www.rmjconsulting.net/>
http://www.linkedin.com/in/ronmjenkins

No such thing as too much logging.

Ron Jenkins (SnortCP,VCP 3 / 4,MCNE,MCPS,MCNPS,CCNA)
RMJ Consulting, LLC.
"Bringing Companies and Solutions Together"
Owner / Senior Architect
Physical Address
11715 Bricksome Ave STE B-7
Baton Rouge, LA 70816
Mail Address
7575 Jefferson Hwy #103
Baton Rouge, LA 70806
Toll. 855-448-5214
Direct. 225-448-5214
Fax. 225-448-5324
Cell. 225-931-1632
Email. rjenkins@rmjconsulting.net
Web. http://www.rmjconsulting.net/>
http://www.linkedin.com/in/ronmjenkins


Additionally, the conn log seems to be getting more important over time. I've run into several sites already that aren't maintaining a conn.log and they might see tunnels being identified on their network (with the tunnel.log) but they don't know if any connections happened over the tunnel because that is indicated in the tunnel log.

  .Seth

Question

Is the tunnel log on by default?

Thx

Ron Jenkins (SnortCP,VCP 3 / 4,MCNE,CNE6,MCPS,MCNPS,CCNA)
RMJ Consulting, LLC.
"Bringing Companies and Solutions Together"
Owner / Senior Architect
Physical Address
11715 Bricksome Ave STE B-7
Baton Rouge, LA 70816
Mail Address
7575 Jefferson Hwy #103
Baton Rouge, LA 70806
Office. 225-448-5214
Fax. 225-448-5324
Cell. 225-931-1632
Email. rjenkins@rmjconsulting.net
Web. http://www.rmjconsulting.net/>

Yep. 2.1 automatically identifies and decapsulates Teredo, IP-in-IP (6to4, etc), AYIYA, GTP (further fixes to this are in git now), and SOCKS.

  .Seth

Nice!

Thx

Ron Jenkins (SnortCP,VCP 3 / 4,MCNE,CNE6,MCPS,MCNPS,CCNA)
RMJ Consulting, LLC.
"Bringing Companies and Solutions Together"
Owner / Senior Architect
Physical Address
11715 Bricksome Ave STE B-7
Baton Rouge, LA 70816
Mail Address
7575 Jefferson Hwy #103
Baton Rouge, LA 70806
Office. 225-448-5214
Fax. 225-448-5324
Cell. 225-931-1632
Email. rjenkins@rmjconsulting.net
Web. http://www.rmjconsulting.net/>