intrusion-detectionbro

How to generate the software.log from a pcap file using bro?


I'm trying to generate the software.log file from a PCAP file I have, the default bro -r my.pcap seems to generate some of the log files but not this one. After googling about adding local on the end is supposed to fix it, but it doesn't.


Solution

  • By default, the software log will only track software for "local" hosts. Bro behaves this way because it stores known software in memory and if it tracked all discovered software by default it would consume all available memory very quickly.

    You have two options, you can either inform Bro of your local address space or you can tell Bro to track all software. You also need to load the scripts which feed software information information into the software framework which we will load here by loading local.bro which includes the lines to load all of those scripts.

    Inform Bro of local address space:

    bro -r my.pcap "Site::local_nets+={192.168.0.0/16,10.0.0.0/8}" local.bro

    OR

    Make the software framework track all software by loading a tuning script which enables all of the built in asset tracking for all hosts:

    bro -r my.pcap tuning/track-all-assets.bro local.bro

    OR

    For a deeper answer, you can also tune the option in the software framework directly that causes it to track all software:

    bro -r my.pcap Software::asset_tracking=ALL_HOSTS local.bro