[Bro] What am I doing wrong here?

David Caldwell dcaldwell at colsa.com
Wed Nov 29 14:50:16 PST 2006

Just so I can make sure I was clear here, and so I have this down  
right in my explanation to the group, I am going to rephrase the  
question I asked earlier.

We have two interfaces on the machine that will run bro. One is the  
bro listening interface, and this one gets run in promiscuous mode.  
The second, which is my admin interface and will be firewalled to the  
degree that I only have ssh listening on it is in reality open to the  
outside world. Since the bro interface runs in promiscuous mode, it  
really doesn't matter what ip I run on that port (I currently have it  
configured as a 10. address, and bro didn't complain going into  
promiscuous mode). Both interfaces are physically set outside the  
firewall. They have no internal connection to the inside network, nor  
does the machine have anything running or set up to run that will  
allow access to the inside network. Basically, if we want to look at  
bro logs we have to ssh in from outside or go directly to the box in  
the closet.

Now I do understand that running any process as root has its ugly  
side, and it does open me up for malicious intent, bro doesn't do  
anything but listen like a big ear. There is no response built into  
bro that would allow it to do anything. I do understand the crafted  
packet concept, but if the only reachable port on the machine is only  
listening to ssh requests from a specific range of ips, and is set up  
to use pass phrase authentication with all other ports blocked to the  
outside, am I not safe? I do intend to implement the patch to set bro  
up to run as bro if for nothing else but to try to insure that is one  
less way of compromising the machine.

I am in no way a security guy. I am just trying to analyze this in a  
fashion that seems to make some form of logical sense to me. I know  
there is no such thing as perfect security, but in the end this box  
really does nothing but listen and record what it hears. It has no  
exposure to the internal network at all except for ssh connections  
coming to it from a specifically small range of ips. I know this  
reads as argumentative, but all I am trying to do is understand what  
is happening and try to implement sound measures so I don't have to  
rebuild this box again once a week.

I guess maybe I shoudl be asking for suggestions more than anything  
as to how I should set this up.

if I had a way to put a diagram of the setup here I woudl and maybe  
you guys could tell me what I need to know that way. I am not known  
for being the best at explaining things.


On Nov 29, 2006, at 2:53 PM, Jean-Philippe Luiggi wrote:

> Hello,
> As far i know but i may have missed something :) , Bro doesn't  
> listen on a
> specific network port and you can't ask to deliver a service as you  
> would do for an Apache server.
> So just protect your firewall as usual.
> Best regards.

More information about the Bro mailing list