[Bro] What am I doing wrong here?

Vern Paxson vern at icir.org
Fri Dec 1 16:17:13 PST 2006

> ... this box  
> really does nothing but listen and record what it hears. It has no  
> exposure to the internal network at all except for ssh connections  
> coming to it from a specifically small range of ips. I know this  
> reads as argumentative, but all I am trying to do is understand what  
> is happening and try to implement sound measures so I don't have to  
> rebuild this box again once a week.

It would seem that just listening to network traffic, you must be safe
from it.  However, this is actually not the case.  The problem arises from
executing code to analyze the contents of the traffic you see.  If this
code contains flaws such as insufficiently sized buffers, then an attacker
can craft traffic that will infect you *even though all you do is look at it!*

Such flaws have been found in tcpdump, Ethereal, and Snort - and, even
more striking, formed the basis for the Witty worm which was launched
against ISS's network intrusion detection system products, infecting them
via their passive analysis of network traffic.

All that said, while this is a real threat against Bro, it is one you
wind up living with running any IDS written in a language that is not
fully type-safe.

> I guess maybe I shoudl be asking for suggestions more than anything  
> as to how I should set this up.

The various firewalling, avoiding setuid root, etc., that have been proposed
on this thread for isolating your system are all prudent steps.


More information about the Bro mailing list