[Bro] Best set up practice

Michael Shirk shirkdog.bsd at gmail.com
Wed Jan 18 08:44:38 PST 2017 

I wrote up a basic how-to for getting Bro working within a FreeBSD jail.

https://www.daemon-security.com/2017/01/bro-jail-0118.html


--
Michael Shirk
Daemon Security, Inc.
http://www.daemon-security.com

On Dec 10, 2016 11:49 AM, "Michael Shirk" <shirkdog.bsd at gmail.com> wrote:

> In the FreeBSD sense, jail all the things. You will be able to find some
> write-ups for Snort, but not so much for Bro, which I will look to create
> and blog about.
>
> The main thing is that when you setup the jail, make sure the jail is
> configured for the interface you wish to monitor. You world normally
> monitor the LAN side, but you could have a separate jail configured to
> monitor the external side in a separate jail looking for threats and
> traffic making it in and out of your firewall.
>
> A couple of additional items I myself have not had the chance to play with
> but should be possible in Bro 2.5 is the ability to interact with ipfw/pf
> with the NetControl Framework to use update the firewall on the fly, also
> for shunting flows.
>
> As far as logging, I normally stick to the standard Bro log files, and you
> can run tools from the host OS to process the log files in the jail if you
> want.
>
>
>
> --
> Michael Shirk
> Daemon Security, Inc.
> http://www.daemon-security.com
>
>
> On Dec 9, 2016 13:31, "Todd Carpenter" <tcarpenter604 at gmail.com> wrote:
>
>> Hi all,
>>
>> Just joined the list and had a question … that I apparently sent to
>> customer support ..oops.
>>
>> anyways Im building a freebsd server and was wondering what the best
>> practice / placement for bro would be
>>
>> Essentially It’s a forward facing firewall based on freebsd. SO I was
>> wondering if its best to deploy on the host OS, or create a jail or two and
>> funnel traffic through that? I also wanted to know if there were any
>> special considerations with jails / setup.
>>
>> some options I came up with ..
>>
>> internet > firewall > lan/dmz
>> internet > firewall > nginx proxy > lan/dmz
>> internet > firewall > dmz jail > NO lan
>> internet > firewall > bro jail > proxy jail > lan/dmz
>>
>> Thanks!
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170118/d9918fe7/attachment-0001.html

More information about the Bro mailing list