[Bro] Best set up practice
Michael Shirk
shirkdog.bsd at gmail.com
Sat Dec 10 08:49:13 PST 2016
In the FreeBSD sense, jail all the things. You will be able to find some
write-ups for Snort, but not so much for Bro, which I will look to create
and blog about.
The main thing is that when you setup the jail, make sure the jail is
configured for the interface you wish to monitor. You world normally
monitor the LAN side, but you could have a separate jail configured to
monitor the external side in a separate jail looking for threats and
traffic making it in and out of your firewall.
A couple of additional items I myself have not had the chance to play with
but should be possible in Bro 2.5 is the ability to interact with ipfw/pf
with the NetControl Framework to use update the firewall on the fly, also
for shunting flows.
As far as logging, I normally stick to the standard Bro log files, and you
can run tools from the host OS to process the log files in the jail if you
want.
--
Michael Shirk
Daemon Security, Inc.
http://www.daemon-security.com
On Dec 9, 2016 13:31, "Todd Carpenter" <tcarpenter604 at gmail.com> wrote:
> Hi all,
>
> Just joined the list and had a question … that I apparently sent to
> customer support ..oops.
>
> anyways Im building a freebsd server and was wondering what the best
> practice / placement for bro would be
>
> Essentially It’s a forward facing firewall based on freebsd. SO I was
> wondering if its best to deploy on the host OS, or create a jail or two and
> funnel traffic through that? I also wanted to know if there were any
> special considerations with jails / setup.
>
> some options I came up with ..
>
> internet > firewall > lan/dmz
> internet > firewall > nginx proxy > lan/dmz
> internet > firewall > dmz jail > NO lan
> internet > firewall > bro jail > proxy jail > lan/dmz
>
> Thanks!
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161210/4b598386/attachment.html
More information about the Bro
mailing list