[Bro] File Extraction

Seth Hall seth at icir.org
Thu Dec 4 06:14:00 PST 2014

> On Dec 4, 2014, at 9:05 AM, Marcus LaFerrera <marcus at randomhack.org> wrote:
> Though not privilege dropping, it will still give you the added security and peace of mind that you aren't running as root. I've been doing this for several years now and never had any issues with it. Albeit, this has always been on a linux based server.

That’s definitely the alternative.  I used to do the same thing on FreeBSD, but on there you make changes to the devd.conf so that your lower-privileged user has permission to open the /dev/bpf* devices.  

Ultimately I think that using a privilege dropping mechanism is probably the easiest way for most people because it doesn’t require any special configuration to the OS to make it work.  You would just configure broctl to run Bro as a certain user or run Bro with a certain flag (depending on if you use BroControl or run Bro directly).


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list