[Bro] BRO on the endpoint, how to manage.
Dan Ecott
dan.ecott at gmail.com
Wed Mar 8 15:53:06 PST 2017
Some responses inline. I may try and leverage AWS lambda triggers on git
commits and Jamf to get new scripts down to the laptops somehow.
Thanks for your responses. I will check back in if I make any good
progress.
Dan.
On Wed, Mar 8, 2017 at 11:55 AM Mike Dopheide <dopheide at gmail.com> wrote:
> I don't know anyone else that's tried this, but it's an interesting
> thought experiment. A few initial thoughts in no particular order...
>
> (1) Given that Bro can be relatively CPU intensive, your developers will
> likely hate you for having something like that running on the same system
> where they're trying to do their work. I'd suggest setting up a one-off
> example and getting some real data on performance impact.
>
Definitely going to look at how this impacts the use of the laptops.
Initial assessments on my own show that the bro processes don't use
anything more than 2% CPU with the out of the box scripts.
>
>
> (2) Cool idea!
>
If it works. :-)
>
> (3) I'd definitely run these as one-off Bro instances rather than trying
> to make it a cluster. To start cluster communication doesn't traverse
> secure protocols. However, that means you'll have to build up your own
> means of getting the log data, alerts, and checking on process status.
>
Yes. We run splunk forwarder on the laptops too and I sym link the bro logs
into /var/log which splunk forwards out for indexing. Process checking is
another thing I have to figure out.
>
>
> (4) Related to (3) most of us use Bro to passively monitor network links.
> If your Bro process is sending data back out over the same network
> connection that it's monitoring you'll need to be very careful not to build
> a snowball effect.
>
Agreed. Gotcha.
>
>
> (5) We've been tracking our Bro policies in git for some time now, works
> great.
>
cool.
>
>
> (6) Do your developers run a fairly standard system configuration on their
> endpoints or would you have to potentially build Bro for a lot of different
> environments?
>
Yes. This is going to be running on modern MacBook Pro laptops fully
loaded. Should be no issues.
>
>
> (7) Maybe you could have Bro running on the endpoint only when the
> developer is traveling or otherwise on a less trusted (unmonitored) network?
>
Worth thinking about.
>
> -Dop
>
>
>
> On Wed, Mar 8, 2017 at 5:50 AM, Dan Ecott <dan.ecott at gmail.com> wrote:
>
> Hello.
>
> I am exploring whether Bro can work for my company in a particular use
> case. What I would like to do is run Bro sensors on developer laptops,
> centrally manage the Bro scripts that run on those end points and ensure
> the Bro process is always running.
>
> What is the best way to run a deployment like this? Has it been done
> before? Bro Cluster doesn't look like the right solution.
>
> As far as managing the scripts, I was thinking of building an AWS code
> pipeline where I can promote scripts through a Git repo, then have a
> process whereby approved scripts get pushed out to the end points quickly.
>
> Any help on this would be appreciated.
>
> Dan.
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170308/10d56934/attachment.html
More information about the Bro
mailing list