[Bro] Is there a quickstart method?
seth at net.ohio-state.edu
Wed Nov 29 13:04:27 PST 2006
On Nov 29, 2006, at 3:10 PM, David Caldwell wrote:
> So while I am not too terribly concerned about this box being used to
> circumvent my security inside the firewall, I am concerned about the
> box being taken over. Any of you have a suggestion as to how to keep
> this from happening, or is my logic sound on my thinking here?
You have to keep in mind that since bro will be parsing packets that
are passing over your network and if someone crafts a packet that
crashes one of the protocol analyzers, there is potential for
compromise. Wireshark (ethereal) has run into this issue many times
recently and they have always strongly advised upgrading because
people will tend to run it as root, especially on linux. And if
someone compromises your IDS as the root user, it makes the attackers
job of hiding their activity much easier.
Open source software isn't the only software affected by this problem
either, ISS's IDS had this problem recently too, and many of their
customers were compromised by malicious packets. Here's the CERT
advisory about it.. https://www.kb.cert.org/vuls/id/150326
Fortunately, Bro is heading down the path of becoming less vulnerable
to these attacks with binpac (http://bro-ids.org/wiki/index.php/BinPAC).
I would advise following Robin's advice and running bro as a user
other than root. That offers a little protection, but keep in mind
that closely monitoring the server is suggested so that if you are
compromised you may be able to detect it and recover quickly.
More information about the Bro