[Bro] Is there a quickstart method?

David Caldwell dcaldwell at colsa.com
Wed Nov 29 12:10:03 PST 2006 

Running FreeBSD, while being a good idea from all sides considering  
that was what it was developed on, puts me in a position where I have  
to relearn a whole operating system and be abel to function half way  
responsibly right this minute. I don't have that option.....yet.

Bro actually won't be parsing data the way we are setting it up. I am  
mirroring the ports between the switch outside the firewall (input to  
the switch), and the interface of the bro machine. Now the bro  
machine is going to be sitting completely outside the firewall, with  
no internal connections at all. the admin interface (eth2) will also  
be outside the firewall. I will have to ssh to it from wherever. If I  
am thinking correctly it really does not matter what ip address I  
assign to the bro listening interface because in promiscuous mode the  
interface will not really have an ip address anyway.....it just  
listens on this interface (please correct me if I am wrong). the  
second interface I can set up a quick iptables ruleset to deny all  
and allow only internal (to the box) requests.

So while I am not too terribly concerned about this box being used to  
circumvent my security inside the firewall, I am concerned about the  
box being taken over. Any of you have a suggestion as to how to keep  
this from happening, or is my logic sound on my thinking here?

David


On Nov 29, 2006, at 1:29 PM, Robin Sommer wrote:

>
> On Wed, Nov 29, 2006 at 13:03 -0600, you wrote:
>
>> Is that safe?
>
> Um, frankly, no.
>
> Personally I don't think that running Bro as root in production mode
> is a good idea. But Linux does require root privs for packet
> capturing (which is why I wrote this kernel hack to allow non-root
> members of a certain group to do it as well). One thing on my to-do
> list is adding code to Bro which drops the root privs once the
> interface is opened. Haven't got around to do that yet though,
> primarily because most of us here use FreeBSD which doesn't have
> this problem (and is *much* better in capture performance anyway).
>
>> thing is it? Now considering I am going to be running in pro mode I
>> suppose that it really won't have an ip assigned to that particular
>> interface so it really doesn't matter to much who the service runs
>> under, but still.....
>
> Yes, still... Just think about that Bro is parsing the data on the
> network link, e.g., data supplied by external entities...
>
>> I did run brolite to get things going yesterday, and it choked trying
>> to create the user bro. It told me that I had to do it by hand. I did
>> that, but neglected to assign the user a home directory.
>
> (I actually don't know much about the internals of the bro-lite
> framework).
>
> Robin
>
> -- 
> Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
> LBNL/ICSI    * Fax   +1 (510) 666-2956 *   www.icir.org

More information about the Bro mailing list