[Bro] traffic to logger from workers

Hosom, Stephen M hosom at battelle.org
Thu Jan 19 09:35:12 PST 2017

Which 800-53 control are you referencing? I’d like to help you.

From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of erik clark
Sent: Thursday, January 19, 2017 8:38 AM
To: Johanna Amann <johanna at icir.org>
Cc: Bro-IDS <bro at bro.org>
Subject: Re: [Bro] traffic to logger from workers

This seems to be a pretty big oversight. Depending on the controls you implement from NIST 800-53 Rev 4, encryption between processes is mentioned. In our environment, it is not just nice to have, it is a requirement.

Since no Bro to Bro communication is encrypted, this makes it 100% impossible for us to have a Bro cluster spanning multiple servers. We are relegated to load balancing via a smart tap and hosting all-in-one Bro instances in disparate hardware, and then forwarding the logs off the box with Splunk which _does_ do encrypted log handoff to the indexers.

I understand that there is some concern about possible performance implications, but making an application that is completely devoid of FIPS 140-2 compliance does not seem to be  very good.

What can be done to get encryption into Bro to Bro communication? If nothing else, at least to the logger. The other elements (workers, proxies) can be handled by pushing proxies to the individual hosts and blocking proxy port requests from Bro between hosts.

On Wed, Jan 18, 2017 at 7:06 PM, Johanna Amann <johanna at icir.org<mailto:johanna at icir.org>> wrote:
n Wed, Jan 18, 2017 at 07:51:54AM -0500, erik clark wrote:
> Does the logger receive traffic over an encrypted tunnel? It does not
> appear to be the case.

No, Bro to Bro communication is not encrypted.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170119/d5e5c040/attachment.html 

More information about the Bro mailing list