[Bro] Encrypting bro logs before storing to disk

Ashwin Rao ashwin.shirvanthe at gmail.com
Wed Aug 7 09:44:19 PDT 2013


I am setting up bro to monitor traffic passing through my proxy that I
shall use for some experiments and measurements.

For IRB compliance, I need to encrypt the logs using a RSA public key
before the logs are stored on the disk. I would like to know if anyone has
run into a similar requirement while using bro.

In any case, the only way I can currently think of encrypting the logs
before a write is by wrapping the safe_write and safe_close functions (in
"src/util.cc" file in the source tree). The wrapper function shall keep the
file specific encryption state in the Ascii class present in
src/logging/writers/Ascii.cc. This wrapper function shall first encrypt the
data and then call either safe_write or safe_close respectively.

I would like get feedback on whether this seems right and if I missing
something that has already been done and can be used without this hack.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130807/ee2c9d28/attachment.html 

More information about the Bro mailing list