[Bro] BRO on the endpoint, how to manage.

Mike Dopheide dopheide at gmail.com
Wed Mar 8 08:55:41 PST 2017 

I don't know anyone else that's tried this, but it's an interesting thought
experiment.  A few initial thoughts in no particular order...

(1) Given that Bro can be relatively CPU intensive, your developers will
likely hate you for having something like that running on the same system
where they're trying to do their work.  I'd suggest setting up a one-off
example and getting some real data on performance impact.

(2) Cool idea!

(3) I'd definitely run these as one-off Bro instances rather than trying to
make it a cluster.  To start cluster communication doesn't traverse secure
protocols.  However, that means you'll have to build up your own means of
getting the log data, alerts, and checking on process status.

(4) Related to (3) most of us use Bro to passively monitor network links.
If your Bro process is sending data back out over the same network
connection that it's monitoring you'll need to be very careful not to build
a snowball effect.

(5) We've been tracking our Bro policies in git for some time now, works
great.

(6) Do your developers run a fairly standard system configuration on their
endpoints or would you have to potentially build Bro for a lot of different
environments?

(7) Maybe you could have Bro running on the endpoint only when the
developer is traveling or otherwise on a less trusted (unmonitored) network?

-Dop



On Wed, Mar 8, 2017 at 5:50 AM, Dan Ecott <dan.ecott at gmail.com> wrote:

> Hello.
>
> I am exploring whether Bro can work for my company in a particular use
> case. What I would like to do is run Bro sensors on developer laptops,
> centrally manage the Bro scripts that run on those end points and ensure
> the Bro process is always running.
>
> What is the best way to run a deployment like this? Has it been done
> before? Bro Cluster doesn't look like the right solution.
>
> As far as managing the scripts, I was thinking of building an AWS code
> pipeline where I can promote scripts through a Git repo, then have a
> process whereby approved scripts get pushed out to the end points quickly.
>
> Any help on this would be appreciated.
>
> Dan.
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170308/1a8bc084/attachment-0001.html

More information about the Bro mailing list