[Bro] branching Bro

erik clark philosnef at gmail.com
Thu Feb 2 06:46:48 PST 2017

Stephen, Bro flat out does not run if your kernel is in fips mode. You
specifically get:

ValueError: error:060800A3: digitial envelope
routines:EVP_DigestInit_ex:disabled for fips

I brought up the cross network logging encryption issue previously. This is
very specifically an issue where you can not run Bro at all with a FIPS
compliant kernel. Getting someone to sign off on an exception not only for
Bro, but the kernel as well, is unlikely. The issue with the md5 crypto
libs in Bro causing it to simply not run with a FIPS kernel was already
brought up in the list as well, by Gary.

On Thu, Feb 2, 2017 at 9:37 AM, Fernandez, Mark I <mfernandez at mitre.org>

> Erik, Justin -
> You both have good points.  For Erik, I think you have solid ground on
> which to stand if you make the following distinctions:
>         (a) Bro is capable of inspecting/monitoring/detecting FIPS
> non-compliant encryption; this is a valid and necessary capability for the
> defense and security of your network; and
>         (b) Is Bro being used to PROTECT federal information (whether in
> transit or at rest)?  If not, then no worries, argument alleviated.  But if
> so, then is Bro able to implement a FIPS-compliant encryption to do so?
> As long as Bro uses FIPS-compliant encryption to PROTECT information (or
> if you can come up with an appropriate mitigation), then I believe you can
> make a reasonable case to your certification and accreditation folks to
> allow Bro to also continue monitoring for non-compliance.
> Cheers!
> Mark Fernandez
> -----Original Message-----
> From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of
> Azoff, Justin S
> Sent: Thursday, February 02, 2017 9:00 AM
> To: erik clark <philosnef at gmail.com>
> Cc: Bro-IDS <bro at bro.org>
> Subject: Re: [Bro] branching Bro
> > On Feb 2, 2017, at 8:53 AM, erik clark <philosnef at gmail.com> wrote:
> >
> > Sadly, in the federal world, FIPS compliance isn't meaningless. There is
> a real need for it.
> And handicapping the best tool you'd have to detect noncompliant
> certificates is extremely misguided and counterproductive.
> It's like if you had a tool that could scan for use of 512bit key SSL
> certificates, and someone prevented you from using it because it "supports"
> 512bit certificates and 512bit certificates are not FIPS compliant.
> --
> - Justin Azoff
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170202/b13b2917/attachment.html 

More information about the Bro mailing list