[Bro] What am I doing wrong here?

Matt Cuttler mcuttler at bnl.gov
Wed Nov 29 15:59:02 PST 2006

David Caldwell wrote:

> We have two interfaces on the machine that will run bro. One is the  
> bro listening interface, and this one gets run in promiscuous mode.  
> The second, which is my admin interface and will be firewalled to the  
> degree that I only have ssh listening on it is in reality open to the  
> outside world. Since the bro interface runs in promiscuous mode, it  
> really doesn't matter what ip I run on that port (I currently have it  
> configured as a 10. address, and bro didn't complain going into  
> promiscuous mode). Both interfaces are physically set outside the  
> firewall. They have no internal connection to the inside network, nor  
> does the machine have anything running or set up to run that will  
> allow access to the inside network. Basically, if we want to look at  
> bro logs we have to ssh in from outside or go directly to the box in  
> the closet.


You don't need an IP address at all on your bro interface; the interface
just needs to be "up" to throw it into promisc mode.

With respects to the admin interface, there's always serial port / out
of band management (I'd recommend that the management box or console
access server reside behind your firewall!). Rather than getting way off
topic, I'd invite you to contact my off-list if you'd like to discuss :-)

If you employ both of these methods, your bro box is (pretty much, at
least at L3) invisible to the world.

Good luck
-Matt Cuttler

More information about the Bro mailing list