[Bro] Is there a quickstart method?
dcaldwell at colsa.com
Wed Nov 29 12:10:03 PST 2006
Running FreeBSD, while being a good idea from all sides considering
that was what it was developed on, puts me in a position where I have
to relearn a whole operating system and be abel to function half way
responsibly right this minute. I don't have that option.....yet.
Bro actually won't be parsing data the way we are setting it up. I am
mirroring the ports between the switch outside the firewall (input to
the switch), and the interface of the bro machine. Now the bro
machine is going to be sitting completely outside the firewall, with
no internal connections at all. the admin interface (eth2) will also
be outside the firewall. I will have to ssh to it from wherever. If I
am thinking correctly it really does not matter what ip address I
assign to the bro listening interface because in promiscuous mode the
interface will not really have an ip address anyway.....it just
listens on this interface (please correct me if I am wrong). the
second interface I can set up a quick iptables ruleset to deny all
and allow only internal (to the box) requests.
So while I am not too terribly concerned about this box being used to
circumvent my security inside the firewall, I am concerned about the
box being taken over. Any of you have a suggestion as to how to keep
this from happening, or is my logic sound on my thinking here?
On Nov 29, 2006, at 1:29 PM, Robin Sommer wrote:
> On Wed, Nov 29, 2006 at 13:03 -0600, you wrote:
>> Is that safe?
> Um, frankly, no.
> Personally I don't think that running Bro as root in production mode
> is a good idea. But Linux does require root privs for packet
> capturing (which is why I wrote this kernel hack to allow non-root
> members of a certain group to do it as well). One thing on my to-do
> list is adding code to Bro which drops the root privs once the
> interface is opened. Haven't got around to do that yet though,
> primarily because most of us here use FreeBSD which doesn't have
> this problem (and is *much* better in capture performance anyway).
>> thing is it? Now considering I am going to be running in pro mode I
>> suppose that it really won't have an ip assigned to that particular
>> interface so it really doesn't matter to much who the service runs
>> under, but still.....
> Yes, still... Just think about that Bro is parsing the data on the
> network link, e.g., data supplied by external entities...
>> I did run brolite to get things going yesterday, and it choked trying
>> to create the user bro. It told me that I had to do it by hand. I did
>> that, but neglected to assign the user a home directory.
> (I actually don't know much about the internals of the bro-lite
> Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
> LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro