[Bro] Info on configuring bro inline in AWS as IDS

Damian Gerow damian.gerow at shopify.com
Thu Jan 21 08:25:45 PST 2016 

Because AWS doesn't provide any concept of a tap, there are really only two
ways to run an IDS in AWS:

1. Have a central Bro worker node, and on each system where you want to
examine the traffic, set up a VPN tunnel with OpenVPN to your Bro node, and
use a tool called daemonlogger to sniff traffic off the ethernet interface
and send it out over the OpenVPN interface. On the Bro worker node, you run
one Bro instance per OpenVPN interface.
2. Directly on the nodes whose traffic you want to monitor, run a Bro
worker, configured to monitor its network interface.

(I recall reading a document from Amazon about setting up the former, but
I'm unable to find it right now.)


On Tue, Jan 19, 2016 at 3:43 PM, James Stallard <JStallard at enquizit.com>
wrote:

> Oh, thanks, Mike...
>
> Comments/responses posted below.
>
>
> ------------------------------
> *From:* Mike Dopheide <dopheide at gmail.com>
> *Sent:* Tuesday, January 19, 2016 3:32 PM
> *To:* James Stallard
> *Cc:* bro at bro.org
> *Subject:* Re: [Bro] Info on configuring bro inline in AWS as IDS
>
> I'm not very familiar with Amazon ELBs, but this is an interesting model
> so I have a couple clarifying questions to make sure we understand what
> you're trying to do
>
> 1)  So the model is ext_ELB -> Bro/router -> int_ELB,
> >>YES using Bro as an IPS rather than IDS?
> >>No, initially just an IDS
>   Are you planning multiple Bro instances to handle the load and provide
> failover?
> >>Yes, initially 2 loadbalanced behind ext_ELB.
>
> 2)  Bro, by itself, is not a routing engine.  It doesn't pass traffic out
> to another interface once it's done examining it.
> >>Ikes!
>
> If I understand what you're trying to do, you'd need to setup a software
> router (pfSense, Clickrouter, PacketBricks?, Microtik's RouterOS) have it
> mirror traffic to Bro, and then write Bro policies to inject rules into the
> router as needed.  I'm not sure if someone has already done it, but it
> wouldn't be an insignificant effort.
>
> (I believe Amazon supports a few virtual IPS appliances, like Palo Alto or
> Juniper as well.)
> >> OK, I'll touch base with our AWS contact  for this.
>
> >>Thanks for the tips.
>
> JMS
> -Dop
>
> On Tue, Jan 19, 2016 at 11:37 AM, James Stallard <JStallard at enquizit.com>
> wrote:
>
>> Hello Bros:
>>
>>
>> I'm just now installing bro for the government website at Small Business
>> Admin.
>>
>> The plan is to have bro behind our public ELBs as an in-line IDS, then
>> route traffic to internal ELBs in front of our application / web servers.
>>
>>
>> As this is AWS, no tap is possible and the EC2s can be run in promiscuous
>> mode either.
>>
>>
>> After a quick review of the documentation, I don't see where I can
>> configure the routing once bro has done its work.
>>
>>
>> I.E. if I configure:
>>
>>
>> bro -i en0 <list of scripts to load>
>>
>> do I need to then configure a script that will export all traffic to
>> another agent such as an ELB or nginx ?
>>
>>
>> Any help would be appreceated.
>>
>>
>> JMS
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160121/a3059223/attachment.html

More information about the Bro mailing list