[Bro] Info on configuring bro inline in AWS as IDS

James Stallard JStallard at enquizit.com
Tue Jan 19 12:43:32 PST 2016 

Oh, thanks, Mike...

Comments/responses posted below.


________________________________
From: Mike Dopheide <dopheide at gmail.com>
Sent: Tuesday, January 19, 2016 3:32 PM
To: James Stallard
Cc: bro at bro.org
Subject: Re: [Bro] Info on configuring bro inline in AWS as IDS

I'm not very familiar with Amazon ELBs, but this is an interesting model so I have a couple clarifying questions to make sure we understand what you're trying to do

1)  So the model is ext_ELB -> Bro/router -> int_ELB,
>>YES using Bro as an IPS rather than IDS?
>>No, initially just an IDS
  Are you planning multiple Bro instances to handle the load and provide failover?
>>Yes, initially 2 loadbalanced behind ext_ELB.

2)  Bro, by itself, is not a routing engine.  It doesn't pass traffic out to another interface once it's done examining it.
>>Ikes!

If I understand what you're trying to do, you'd need to setup a software router (pfSense, Clickrouter, PacketBricks?, Microtik's RouterOS) have it mirror traffic to Bro, and then write Bro policies to inject rules into the router as needed.  I'm not sure if someone has already done it, but it wouldn't be an insignificant effort.

(I believe Amazon supports a few virtual IPS appliances, like Palo Alto or Juniper as well.)
>> OK, I'll touch base with our AWS contact  for this.

>>Thanks for the tips.

JMS
-Dop

On Tue, Jan 19, 2016 at 11:37 AM, James Stallard <JStallard at enquizit.com<mailto:JStallard at enquizit.com>> wrote:

Hello Bros:


I'm just now installing bro for the government website at Small Business Admin.

The plan is to have bro behind our public ELBs as an in-line IDS, then route traffic to internal ELBs in front of our application / web servers.


As this is AWS, no tap is possible and the EC2s can be run in promiscuous mode either.


After a quick review of the documentation, I don't see where I can configure the routing once bro has done its work.


I.E. if I configure:


bro -i en0 <list of scripts to load>

do I need to then configure a script that will export all traffic to another agent such as an ELB or nginx ?


Any help would be appreceated.


JMS

_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160119/032200de/attachment.html

More information about the Bro mailing list