I was wondering if anyone can tell me why the sha256 hash functionality
isn't turned on by default for the files log.
I am working on something and needed to turn it on. I normally only use Bro
to process pcap files offline and have never used it on a live network.
Does it cause performance issues?
Thanks,
Shawn
Bro Community,
A few people have been asking when the BroCon slides and videos will be posted. We need to do some post-production and other work before this is done. A rough estimate, barring unforeseen interruptions is one month. When they are ready we’ll communicate it on our mailing list and social media outlets.
Thanks for your patience.
------
Jeannette Dopheide
Training and Outreach Coordinator
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
Hi everyone
Today successfully installed Bro as a standalone worker on an ubuntu
system, it has 16cores, 8GB ram (can be expanded) and about 2TB of disk.
Its receiving traffic from a passive fibre network interface.
The interface configuration is as follows
br0 - bridged interface
p1p1 - RX of fibre
p1p2 - TX of fibre
br1 - Bridged interface
p2p1 - RX of fibre
p2p2 - TX of fibre
So i have br0 configured and being monitored correctly. br0 is monitoring
one part of the network up towards public facing infrastructure and br1 is
monitoring more local stuff so its not NAT'd and closer to the hosts.
As it is one physical system with 2 interfaces what is the best way for my
to monitor both feeds and log it correctly. All of my logs are being fed
into a SIEM with JSON output.
Can i have separate roles configured on the one physical system and each
interface being defined as a separate worker?
So PF_RING as the front end, then a manager and proxy but each worker
defined within the Cluster worker config as the same host but different
interfaces.
Or should i suggest getting additional hardware and splitting the
interfaces? it seems a little silly that one worker can only monitor one
interface i thought. thats why i thought id ask here first.
Thanks,
John
I know I've brought this up before, but I was going to put this in on
the github but that feature isn't enabled.
I know a lot of people just use broctl and be done with it, but I just
use it via command line most of the time. It would REALLY be nice have
a command line switch to not overwrite log files and just append to
existing files. Thank you.
James
Hi all,
I am reading through Bro's documentation for a variety of purposes, I am
new to it and really want to understand the internals, the scripting
language, scaling up for clustering for larger link monitoring etc.
I find the websites layout not that good for reading as I am reading a
book about any other open source project I read about. Other open source
security projects I read about have PDFs versions of their documentation so
people can print it out etc.
Is the same thing available for Bro? Have copied all of the doco into a
word document but cancelled that as formatting was ugly. The only mention
of Bro in a book I have found is a couple pages long. I'd like the entire
documentation available for whatever latest release but as PDF.
Anyone else know where to find it? Or if it's even available?
Thanks,
John
Does anyone have experience using Bro to run its analysis on PCAPs being
written to a directory in an automated fashion?
Should a cron just be run at a lag using bro -r and script options?
Thank you,
-Art
Hi,
Does bro handle the case where I sniffing from two interfaces I1 and I2,
and I1 sees the client side traffic and I2 see the server side traffic? If
this is supported, does the scenario of more than two interfaces also work?
Thanks.
Dk.
Hi all,
One of my installations runs on an old linux laptop monitoring wifi traffic
exclusively in standalone.
I'm wondering what the convention is for node.cfg to add monitoring to the
wired interface as well.
The use case is, the system is taken off the wifi and restarted at a second
location for monitoring a wired connection.
Is the following node.cfg valid?
[bro]
type=standalone
host=localhost
interface=wlan0
interface=eth0
Or is a better configuration to use 2 workers, one for each interface?
Thanks in advance,
Chris
I have two workers that are constantly pegged at dropping 50% of the
packets I am processing. It is always the same two workers. This is on bro
2.4.1, so I don't have misc-stats (yet). Is there a way I can troubleshoot
why I have problems with these two workers?
In my node.cfg, all of my hosts are set to localhost. I can start bro as
root, but as a non root user with setcap privs, I get
error: unknown host 'localhost' for given node 'manager' [Temporary... name
resolution]
Obviously localhost is in /etc/hosts. So why is it bro is having a problem
with this? Not having a functional dns shouldn't prevent bro from spawning,
especially when the host given is just localhost. How can I deal with this
issue?
