Hello.
I am exploring whether Bro can work for my company in a particular use case. What I would like to do is run Bro sensors on developer laptops, centrally manage the Bro scripts that run on those end points and ensure the Bro process is always running.
What is the best way to run a deployment like this? Has it been done before? Bro Cluster doesn’t look like the right solution.
As far as managing the scripts, I was thinking of building an AWS code pipeline where I can promote scripts through a Git repo, then have a process whereby approved scripts get pushed out to the end points quickly.
Any help on this would be appreciated.
Dan.
I don’t know anyone else that’s tried this, but it’s an interesting thought experiment. A few initial thoughts in no particular order…
(1) Given that Bro can be relatively CPU intensive, your developers will likely hate you for having something like that running on the same system where they’re trying to do their work. I’d suggest setting up a one-off example and getting some real data on performance impact.
(2) Cool idea!
(3) I’d definitely run these as one-off Bro instances rather than trying to make it a cluster. To start cluster communication doesn’t traverse secure protocols. However, that means you’ll have to build up your own means of getting the log data, alerts, and checking on process status.
(4) Related to (3) most of us use Bro to passively monitor network links. If your Bro process is sending data back out over the same network connection that it’s monitoring you’ll need to be very careful not to build a snowball effect.
(5) We’ve been tracking our Bro policies in git for some time now, works great.
(6) Do your developers run a fairly standard system configuration on their endpoints or would you have to potentially build Bro for a lot of different environments?
(7) Maybe you could have Bro running on the endpoint only when the developer is traveling or otherwise on a less trusted (unmonitored) network?
-Dop
Some responses inline. I may try and leverage AWS lambda triggers on git commits and Jamf to get new scripts down to the laptops somehow.
Thanks for your responses. I will check back in if I make any good progress.
Dan.
I don’t know anyone else that’s tried this, but it’s an interesting thought experiment. A few initial thoughts in no particular order…
(1) Given that Bro can be relatively CPU intensive, your developers will likely hate you for having something like that running on the same system where they’re trying to do their work. I’d suggest setting up a one-off example and getting some real data on performance impact.
Definitely going to look at how this impacts the use of the laptops. Initial assessments on my own show that the bro processes don’t use anything more than 2% CPU with the out of the box scripts.
(2) Cool idea!
If it works. 
(3) I’d definitely run these as one-off Bro instances rather than trying to make it a cluster. To start cluster communication doesn’t traverse secure protocols. However, that means you’ll have to build up your own means of getting the log data, alerts, and checking on process status.
Yes. We run splunk forwarder on the laptops too and I sym link the bro logs into /var/log which splunk forwards out for indexing. Process checking is another thing I have to figure out.
(4) Related to (3) most of us use Bro to passively monitor network links. If your Bro process is sending data back out over the same network connection that it’s monitoring you’ll need to be very careful not to build a snowball effect.
Agreed. Gotcha.
(5) We’ve been tracking our Bro policies in git for some time now, works great.
cool.
(6) Do your developers run a fairly standard system configuration on their endpoints or would you have to potentially build Bro for a lot of different environments?
Yes. This is going to be running on modern MacBook Pro laptops fully loaded. Should be no issues.
(7) Maybe you could have Bro running on the endpoint only when the developer is traveling or otherwise on a less trusted (unmonitored) network?
Worth thinking about.
Are you attempting to monitor traffic coming to and from the hosts? If so, wouldn’t it be easier to keep bro at the network level and require VPN connections for remote employees?
Another possible option if you’re just looking for some general endpoint information is to try out the bro-osquery connection: (https://github.com/bro/bro-osquery)
Just a little more food for thought.
-Sam