[Bro] traffic to logger from workers

Hoelzer, Dave DHoelzer at sans.org
Thu Jan 19 10:04:07 PST 2017

Isn’t that how everyone does it?  I never have IDS or other security events passing over the internal network.  It’s always on a private, dark, network.
David Hoelzer
Dean of Faculty, STI
Fellow, SANS.org<http://SANS.org>

On Jan 19, 2017, at 12:56 PM, Michael Shirk <shirkdog.bsd at gmail.com<mailto:shirkdog.bsd at gmail.com>> wrote:

I think this refers to AC-4 for information flow enforcement. But this is where you would configure border protections or segmentation of your bro data on its own private network, or configure encrypted tunnels.

Michael Shirk
Daemon Security, Inc.

On Jan 19, 2017 12:36 PM, "Hosom, Stephen M" <hosom at battelle.org<mailto:hosom at battelle.org>> wrote:
Which 800-53 control are you referencing? I’d like to help you.

From: bro-bounces at bro.org<mailto:bro-bounces at bro.org> [mailto:bro-bounces at bro.org<mailto:bro-bounces at bro.org>] On Behalf Of erik clark
Sent: Thursday, January 19, 2017 8:38 AM
To: Johanna Amann <johanna at icir.org<mailto:johanna at icir.org>>
Cc: Bro-IDS <bro at bro.org<mailto:bro at bro.org>>
Subject: Re: [Bro] traffic to logger from workers

This seems to be a pretty big oversight. Depending on the controls you implement from NIST 800-53 Rev 4, encryption between processes is mentioned. In our environment, it is not just nice to have, it is a requirement.

Since no Bro to Bro communication is encrypted, this makes it 100% impossible for us to have a Bro cluster spanning multiple servers. We are relegated to load balancing via a smart tap and hosting all-in-one Bro instances in disparate hardware, and then forwarding the logs off the box with Splunk which _does_ do encrypted log handoff to the indexers.

I understand that there is some concern about possible performance implications, but making an application that is completely devoid of FIPS 140-2 compliance does not seem to be  very good.

What can be done to get encryption into Bro to Bro communication? If nothing else, at least to the logger. The other elements (workers, proxies) can be handled by pushing proxies to the individual hosts and blocking proxy port requests from Bro between hosts.

On Wed, Jan 18, 2017 at 7:06 PM, Johanna Amann <johanna at icir.org<mailto:johanna at icir.org>> wrote:
n Wed, Jan 18, 2017 at 07:51:54AM -0500, erik clark wrote:
> Does the logger receive traffic over an encrypted tunnel? It does not
> appear to be the case.

No, Bro to Bro communication is not encrypted.


Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170119/d16389bc/attachment.html 

More information about the Bro mailing list