Info on configuring bro inline in AWS as IDS

Hello Bros:

I’m just now installing bro for the government website at Small Business Admin.

The plan is to have bro behind our public ELBs as an in-line IDS, then route traffic to internal ELBs in front of our application / web servers.

As this is AWS, no tap is possible and the EC2s can be run in promiscuous mode either.

After a quick review of the documentation, I don’t see where I can configure the routing once bro has done its work.

I.E. if I configure:

bro -i en0 <list of scripts to load>

do I need to then configure a script that will export all traffic to another agent such as an ELB or nginx ?

Any help would be appreceated.


I’m not very familiar with Amazon ELBs, but this is an interesting model so I have a couple clarifying questions to make sure we understand what you’re trying to do

  1. So the model is ext_ELB → Bro/router → int_ELB, using Bro as an IPS rather than IDS? Are you planning multiple Bro instances to handle the load and provide failover?

  2. Bro, by itself, is not a routing engine. It doesn’t pass traffic out to another interface once it’s done examining it.

If I understand what you’re trying to do, you’d need to setup a software router (pfSense, Clickrouter, PacketBricks?, Microtik’s RouterOS) have it mirror traffic to Bro, and then write Bro policies to inject rules into the router as needed. I’m not sure if someone has already done it, but it wouldn’t be an insignificant effort.

(I believe Amazon supports a few virtual IPS appliances, like Palo Alto or Juniper as well.)


Oh, thanks, Mike…

Comments/responses posted below.

Because AWS doesn’t provide any concept of a tap, there are really only two ways to run an IDS in AWS:

  1. Have a central Bro worker node, and on each system where you want to examine the traffic, set up a VPN tunnel with OpenVPN to your Bro node, and use a tool called daemonlogger to sniff traffic off the ethernet interface and send it out over the OpenVPN interface. On the Bro worker node, you run one Bro instance per OpenVPN interface.
  2. Directly on the nodes whose traffic you want to monitor, run a Bro worker, configured to monitor its network interface.

(I recall reading a document from Amazon about setting up the former, but I’m unable to find it right now.)