[Bro] Info on configuring bro inline in AWS as IDS

Mike Dopheide dopheide at gmail.com
Tue Jan 19 12:32:17 PST 2016

I'm not very familiar with Amazon ELBs, but this is an interesting model so
I have a couple clarifying questions to make sure we understand what you're
trying to do

1)  So the model is ext_ELB -> Bro/router -> int_ELB, using Bro as an IPS
rather than IDS?   Are you planning multiple Bro instances to handle the
load and provide failover?

2)  Bro, by itself, is not a routing engine.  It doesn't pass traffic out
to another interface once it's done examining it.

If I understand what you're trying to do, you'd need to setup a software
router (pfSense, Clickrouter, PacketBricks?, Microtik's RouterOS) have it
mirror traffic to Bro, and then write Bro policies to inject rules into the
router as needed.  I'm not sure if someone has already done it, but it
wouldn't be an insignificant effort.

(I believe Amazon supports a few virtual IPS appliances, like Palo Alto or
Juniper as well.)


On Tue, Jan 19, 2016 at 11:37 AM, James Stallard <JStallard at enquizit.com>

> Hello Bros:
> I'm just now installing bro for the government website at Small Business
> Admin.
> The plan is to have bro behind our public ELBs as an in-line IDS, then
> route traffic to internal ELBs in front of our application / web servers.
> As this is AWS, no tap is possible and the EC2s can be run in promiscuous
> mode either.
> After a quick review of the documentation, I don't see where I can
> configure the routing once bro has done its work.
> I.E. if I configure:
> bro -i en0 <list of scripts to load>
> do I need to then configure a script that will export all traffic to
> another agent such as an ELB or nginx ?
> Any help would be appreceated.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160119/e6d45f2b/attachment.html 

More information about the Bro mailing list