[Bro] Is there a quickstart method?

Seth Hall seth at net.ohio-state.edu
Wed Nov 29 13:04:27 PST 2006

On Nov 29, 2006, at 3:10 PM, David Caldwell wrote:

> So while I am not too terribly concerned about this box being used to
> circumvent my security inside the firewall, I am concerned about the
> box being taken over. Any of you have a suggestion as to how to keep
> this from happening, or is my logic sound on my thinking here?

You have to keep in mind that since bro will be parsing packets that  
are passing over your network and if someone crafts a packet that  
crashes one of the protocol analyzers, there is potential for  
compromise.  Wireshark (ethereal) has run into this issue many times  
recently and they have always strongly advised upgrading because  
people will tend to run it as root, especially on linux.  And if  
someone compromises your IDS as the root user, it makes the attackers  
job of hiding their activity much easier.

Open source software isn't the only software affected by this problem  
either, ISS's IDS had this problem recently too, and many of their  
customers were compromised by malicious packets.  Here's the CERT  
advisory about it.. https://www.kb.cert.org/vuls/id/150326

Fortunately, Bro is heading down the path of becoming less vulnerable  
to these attacks with binpac (http://bro-ids.org/wiki/index.php/BinPAC).

I would advise following Robin's advice and running bro as a user  
other than root.  That offers a little protection, but keep in mind  
that closely monitoring the server is suggested so that if you are  
compromised you may be able to detect it and recover quickly.


More information about the Bro mailing list