[Bro] traffic to logger from workers

erik clark philosnef at gmail.com
Thu Jan 19 05:37:30 PST 2017

This seems to be a pretty big oversight. Depending on the controls you
implement from NIST 800-53 Rev 4, encryption between processes is
mentioned. In our environment, it is not just nice to have, it is a

Since no Bro to Bro communication is encrypted, this makes it 100%
impossible for us to have a Bro cluster spanning multiple servers. We are
relegated to load balancing via a smart tap and hosting all-in-one Bro
instances in disparate hardware, and then forwarding the logs off the box
with Splunk which _does_ do encrypted log handoff to the indexers.

I understand that there is some concern about possible performance
implications, but making an application that is completely devoid of FIPS
140-2 compliance does not seem to be  very good.

What can be done to get encryption into Bro to Bro communication? If
nothing else, at least to the logger. The other elements (workers, proxies)
can be handled by pushing proxies to the individual hosts and blocking
proxy port requests from Bro between hosts.

On Wed, Jan 18, 2017 at 7:06 PM, Johanna Amann <johanna at icir.org> wrote:

> n Wed, Jan 18, 2017 at 07:51:54AM -0500, erik clark wrote:
> > Does the logger receive traffic over an encrypted tunnel? It does not
> > appear to be the case.
> No, Bro to Bro communication is not encrypted.
> Johanna
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170119/61610aa0/attachment.html 

More information about the Bro mailing list