[Bro] What am I doing wrong here?
dcaldwell at colsa.com
Wed Nov 29 14:50:16 PST 2006
Just so I can make sure I was clear here, and so I have this down
right in my explanation to the group, I am going to rephrase the
question I asked earlier.
We have two interfaces on the machine that will run bro. One is the
bro listening interface, and this one gets run in promiscuous mode.
The second, which is my admin interface and will be firewalled to the
degree that I only have ssh listening on it is in reality open to the
outside world. Since the bro interface runs in promiscuous mode, it
really doesn't matter what ip I run on that port (I currently have it
configured as a 10. address, and bro didn't complain going into
promiscuous mode). Both interfaces are physically set outside the
firewall. They have no internal connection to the inside network, nor
does the machine have anything running or set up to run that will
allow access to the inside network. Basically, if we want to look at
bro logs we have to ssh in from outside or go directly to the box in
Now I do understand that running any process as root has its ugly
side, and it does open me up for malicious intent, bro doesn't do
anything but listen like a big ear. There is no response built into
bro that would allow it to do anything. I do understand the crafted
packet concept, but if the only reachable port on the machine is only
listening to ssh requests from a specific range of ips, and is set up
to use pass phrase authentication with all other ports blocked to the
outside, am I not safe? I do intend to implement the patch to set bro
up to run as bro if for nothing else but to try to insure that is one
less way of compromising the machine.
I am in no way a security guy. I am just trying to analyze this in a
fashion that seems to make some form of logical sense to me. I know
there is no such thing as perfect security, but in the end this box
really does nothing but listen and record what it hears. It has no
exposure to the internal network at all except for ssh connections
coming to it from a specifically small range of ips. I know this
reads as argumentative, but all I am trying to do is understand what
is happening and try to implement sound measures so I don't have to
rebuild this box again once a week.
I guess maybe I shoudl be asking for suggestions more than anything
as to how I should set this up.
if I had a way to put a diagram of the setup here I woudl and maybe
you guys could tell me what I need to know that way. I am not known
for being the best at explaining things.
On Nov 29, 2006, at 2:53 PM, Jean-Philippe Luiggi wrote:
> As far i know but i may have missed something :) , Bro doesn't
> listen on a
> specific network port and you can't ask to deliver a service as you
> would do for an Apache server.
> So just protect your firewall as usual.
> Best regards.
More information about the Bro