[Bro] Best set up practice

Vlad Grigorescu vladg at illinois.edu
Thu Jan 19 08:02:09 PST 2017 

Thanks, Michael! I've been meaning to look into this for a while. I'll
have to give this a shot.

  --Vlad

Michael Shirk <shirkdog.bsd at gmail.com> writes:

> I wrote up a basic how-to for getting Bro working within a FreeBSD jail.
>
> https://www.daemon-security.com/2017/01/bro-jail-0118.html
>
>
> --
> Michael Shirk
> Daemon Security, Inc.
> http://www.daemon-security.com
>
> On Dec 10, 2016 11:49 AM, "Michael Shirk" <shirkdog.bsd at gmail.com> wrote:
>
>> In the FreeBSD sense, jail all the things. You will be able to find some
>> write-ups for Snort, but not so much for Bro, which I will look to create
>> and blog about.
>>
>> The main thing is that when you setup the jail, make sure the jail is
>> configured for the interface you wish to monitor. You world normally
>> monitor the LAN side, but you could have a separate jail configured to
>> monitor the external side in a separate jail looking for threats and
>> traffic making it in and out of your firewall.
>>
>> A couple of additional items I myself have not had the chance to play with
>> but should be possible in Bro 2.5 is the ability to interact with ipfw/pf
>> with the NetControl Framework to use update the firewall on the fly, also
>> for shunting flows.
>>
>> As far as logging, I normally stick to the standard Bro log files, and you
>> can run tools from the host OS to process the log files in the jail if you
>> want.
>>
>>
>>
>> --
>> Michael Shirk
>> Daemon Security, Inc.
>> http://www.daemon-security.com
>>
>>
>> On Dec 9, 2016 13:31, "Todd Carpenter" <tcarpenter604 at gmail.com> wrote:
>>
>>> Hi all,
>>>
>>> Just joined the list and had a question … that I apparently sent to
>>> customer support ..oops.
>>>
>>> anyways Im building a freebsd server and was wondering what the best
>>> practice / placement for bro would be
>>>
>>> Essentially It’s a forward facing firewall based on freebsd. SO I was
>>> wondering if its best to deploy on the host OS, or create a jail or two and
>>> funnel traffic through that? I also wanted to know if there were any
>>> special considerations with jails / setup.
>>>
>>> some options I came up with ..
>>>
>>> internet > firewall > lan/dmz
>>> internet > firewall > nginx proxy > lan/dmz
>>> internet > firewall > dmz jail > NO lan
>>> internet > firewall > bro jail > proxy jail > lan/dmz
>>>
>>> Thanks!
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170119/f0bff255/attachment.bin

More information about the Bro mailing list