[Bro] Workers/Proxies & port forwarding
dhoelzer at sans.org
Tue Nov 18 09:10:10 PST 2014
I recently spent some time trying to work through an issue that arises when port forwarding is in use. I’m wondering if I’m missing something obvious.
Bro workers, proxies and managers seem to be very averse to port forwarding. I have a few workers that I’m trying to deploy outside of a perimeter. I am loathe to simply create permit rules and the infrastructure does not lend itself to creating a dark LAN just for Bro workers out of band. The compromise is that there is no issue creating a port forwarding rule that will permit these systems to get back to the proxy.
Unfortunately, the workers and the proxy are very unhappy with this arrangement. Aside from creating really weird local IPTables rules that allow me to essentially trick them into thinking that they are talking to the “actual” addresses, is there a more elegant way to do this with Bro as it stands today?
More information about the Bro