I am setting up bro to monitor traffic passing through my proxy that I shall use for some experiments and measurements.
For IRB compliance, I need to encrypt the logs using a RSA public key before the logs are stored on the disk. I would like to know if anyone has run into a similar requirement while using bro.
In any case, the only way I can currently think of encrypting the logs before a write is by wrapping the safe_write and safe_close functions (in “src/util.cc” file in the source tree). The wrapper function shall keep the file specific encryption state in the Ascii class present in src/logging/writers/Ascii.cc. This wrapper function shall first encrypt the data and then call either safe_write or safe_close respectively.
I would like get feedback on whether this seems right and if I missing something that has already been done and can be used without this hack.
I would like get feedback on whether this seems right and if I missing something that has already been done and can be used without this hack.
That approach (changing every place the Ascii writer does a write in the C++ land) sounds like it would work. And if the encryption behavior were made toggle-able (possibly via some script-land variables that could be set/redef'd), that would make a patch to do such a thing more acceptable.
I believe even the encryption code itself is still in there, but
afaict it hasn't been exercised in a while and it's kind of useless
now that we have the new logging system which does things differently
internally.
I've been waiting for *just* the right moment to either implement encryption in the logging framework or get someone else to do it. I'd like to approach it in a way where you could either encrypt entire logs, specific lines, or even individual fields. We'd then just have to have the tooling on the log processing side that can understand this encryption and decrypt it.
Generally though, I think it's fine to remove the log encryption stuff from files and move it all over to the logging framework.