securityonion-bro-scripts
securityonion-bro-scripts copied to clipboard
enable capturing of MAC addresses and VLANs by default in local.bro
I suggest that the default local.bro for new Security Onion installations include:
@load policy/protocols/conn/vlan-logging
@load policy/protocols/conn/mac-logging
In a network security environment, having MAC addresses and VLANs associated with network sessions is almost always going to be something you want.
I've already created a pull request in the securityonion-elastic repository to handle these new fields in the Logstash filters for Bro logs.
EDIT: changed the pull request to reference the one I created with just that issue split out