[Bro] Best set up practice
vladg at illinois.edu
Thu Jan 19 08:02:09 PST 2017
Thanks, Michael! I've been meaning to look into this for a while. I'll
have to give this a shot.
Michael Shirk <shirkdog.bsd at gmail.com> writes:
> I wrote up a basic how-to for getting Bro working within a FreeBSD jail.
> Michael Shirk
> Daemon Security, Inc.
> On Dec 10, 2016 11:49 AM, "Michael Shirk" <shirkdog.bsd at gmail.com> wrote:
>> In the FreeBSD sense, jail all the things. You will be able to find some
>> write-ups for Snort, but not so much for Bro, which I will look to create
>> and blog about.
>> The main thing is that when you setup the jail, make sure the jail is
>> configured for the interface you wish to monitor. You world normally
>> monitor the LAN side, but you could have a separate jail configured to
>> monitor the external side in a separate jail looking for threats and
>> traffic making it in and out of your firewall.
>> A couple of additional items I myself have not had the chance to play with
>> but should be possible in Bro 2.5 is the ability to interact with ipfw/pf
>> with the NetControl Framework to use update the firewall on the fly, also
>> for shunting flows.
>> As far as logging, I normally stick to the standard Bro log files, and you
>> can run tools from the host OS to process the log files in the jail if you
>> Michael Shirk
>> Daemon Security, Inc.
>> On Dec 9, 2016 13:31, "Todd Carpenter" <tcarpenter604 at gmail.com> wrote:
>>> Hi all,
>>> Just joined the list and had a question … that I apparently sent to
>>> customer support ..oops.
>>> anyways Im building a freebsd server and was wondering what the best
>>> practice / placement for bro would be
>>> Essentially It’s a forward facing firewall based on freebsd. SO I was
>>> wondering if its best to deploy on the host OS, or create a jail or two and
>>> funnel traffic through that? I also wanted to know if there were any
>>> special considerations with jails / setup.
>>> some options I came up with ..
>>> internet > firewall > lan/dmz
>>> internet > firewall > nginx proxy > lan/dmz
>>> internet > firewall > dmz jail > NO lan
>>> internet > firewall > bro jail > proxy jail > lan/dmz
>>> Bro mailing list
>>> bro at bro-ids.org
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170119/f0bff255/attachment.bin
More information about the Bro