[Bro] [Non-DoD Source] Re: Bro 2.5 and FIPS
Hosom, Stephen M
hosom at battelle.org
Fri Dec 9 10:06:30 PST 2016
Is creating a policy exception possible for you? Honestly, I work in similar environments and it I would advise against making major modifications to Bro's source code. Document the fact that in the event of a vulnerability in your system you won't be able to be as responsive to the vulnerability. Significant source code modifications will hamper your ability to pull a patch in quickly. Since Bro doesn't use md5 anywhere that this really matters... I would hope that your compliance team is willing to be reasonable about this.
From: Weasel, Gary W Jr CIV DISA RE (US) [mailto:gary.w.weasel2.civ at mail.mil]
Sent: Friday, December 9, 2016 9:40 AM
To: 'johanna at icir.org' <johanna at icir.org>; Hosom, Stephen M <hosom at battelle.org>
Cc: 'bro at bro.org' <bro at bro.org>
Subject: RE: [Non-DoD Source] Re: [Bro] Bro 2.5 and FIPS
Unfortunately it doesn't seem to be that simple. Commenting out all the references to ANALYZER_MD5 in the scripts didn't make any difference in attempting to run the program, and it seems anything that uses the openssl md5 wrapper probably is what gets stopped. I'm going through the code trying to see what happens if I just try to remove all the md5 usage for that wrapper, but honestly my current expectation is that this won't even succeed in make.
Gary W. Weasel, Jr. | Computer Engineer
Incident Response and Recovery Team, RE62
From: Johanna Amann [mailto:johanna at icir.org]
Sent: Thursday, December 8, 2016 2:09 PM
To: Hosom, Stephen M <hosom at battelle.org>
Cc: Weasel, Gary W Jr CIV DISA RE (US) <gary.w.weasel2.civ at mail.mil>; bro at bro.org
Subject: [Non-DoD Source] Re: [Bro] Bro 2.5 and FIPS
All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.
Actually, MD5 certificates don't really happen anymore in practice, and OpenSSL would do the verification itself, which probably won't give an assertion.
While we don't support a configuration of Bro out of the Box that does not use MD5, I think you might actually be able to accomplish this without changing too much. I would try downloading the source, going into scripts/base and commenting all calls that look like...
There only are a few places that do that (mainly certificates are hashed by default); however, I don't think we really need that. You probably also need to stay away from using bloom filters. But - that might be good enough to eliminate all traditional digest MD5 calls in the base configuration.
On 8 Dec 2016, at 10:15, Hosom, Stephen M wrote:
> The problem is caused by the fact that Bro needs to process certs that
> make use of md5 and in order to do that it uses the portions of
> OpenSSL that handle md5...which have been disabled. As for the fix?
> I'm not actually sure. No matter how you swing it, you really do want
> to be able to use those portions of the library for network monitoring
> purposes. The only thing I can think of that might get you out of this
> is to link against an alternate version of OpenSSL that you use solely
> for Bro that disables FIPS mode... that way you have it enabled for
> most applications, but disabled for Bro. I didn't have long to look
> into how FIPS mode is set, but it looks like in your case it may have
> been a build time option.
> -----Original Message-----
> From: bro-bounces at bro.org [Caution-mailto:bro-bounces at bro.org] On
> Behalf Of Weasel, Gary W Jr CIV DISA RE (US)
> Sent: Thursday, December 8, 2016 9:45 AM
> To: 'bro at bro.org' <bro at bro.org>
> Subject: [Bro] Bro 2.5 and FIPS
> Importance: High
> I'm attempting to run Bro 2.5 on a system that is in FIPS 140-2
> compliance mode. However, any time that I attempt to run anything Bro
> related, I end up with MD5 Digest errors, such as:
> md5_dgst.c(80): OpenSSL internal error, assertion failed: Digest MD5
> forbidden in FIPS mode!
> Is there any configuration in Bro somewhere that I can change to solve
> this, where Bro is compatible with a system that's FIPS enabled? Is
> that something I would only be able to deal with when compiling Bro
> from source, or is there a way to run Bro at all in FIPS mode?
> - Gary
> Bro mailing list
> bro at bro-ids.org
> Bro mailing list
> bro at bro-ids.org
More information about the Bro