[Not] Running Bro as root?


So from what I understand it is not at all a trivial task to get bro to properly run/function under a user account other than root (Linux [RHEL/CentOS]).

Just mostly out of curiosity, I was wondering if anyone had taken on this task and are successfully running bro in production under a non-root user account? Further, has anyone perhaps automated/scripted some/all of the changes required in order to move bro to run as a non-root user account without issue?

Thank you,


Please see https://www.bro.org/documentation/faq.html#how-can-i-capture-packets-as-an-unprivileged-user which should address your concerns.

Take care,



We run bro as the ‘bro’ user. It wasn’t that much work really to get it to happen. Our bro clusters are also all deployed using ansible. The relevant snippets (just snippets, this obviously isn’t all of the role here) are in here, but I can work on publishing the necessary info to ansible-galaxy if that would be useful to you as well.

  • Sam

  • name: Create Bro user
    name: “{{ bro_user }}”
    comment: “Bro User”
    state: present
    generate_ssh_key: true
    ssh_key_file: .ssh/id_rsa

  • name: Fetch Bro user’s ssh key
    src: “/home/{{ bro_user }}/.ssh/id_rsa.pub”
    dest: /tmp/id_rsa.pub
    flat: yes
    when: “‘bro_manager’ in group_names”

  • name: Push out Bro user’s key
    user: “{{ bro_user }}”
    key: “{{ lookup(‘file’, ‘/tmp/id_rsa.pub’) }}”
    state: present
    exclusive: yes

  • name: Fix permissions on bro directory for bro user
    path: “{{ bro_path }}”
    state: directory
    mode: 0755
    owner: “{{ bro_user }}”
    group: “{{ bro_user }}”
    recurse: yes

  • name: Check if permissions exist for {{ bro_user }} to capture packets
    shell: “getcap {{ bro_path }}/bin/bro”
    register: bro_cap_perms
    when: bro_install.changed

  • name: Set permissions for {{ bro_user }} to capture packets
    shell: “setcap cap_net_raw,cap_net_admin=eip {{ bro_path }}/bin/bro”
    when: (bro_install.changed) and (bro_cap_perms.stdout.find(’/usr/local/bro/bin/bro = cap_net_admin,cap_net_raw+eip’) != 0)

It’s actually easy to run Bro as a generic user, that’s how our cluster has been working from day one.

For afpacket, cap net raw is required

Cap net admin is not and is strongly discouraged.

Bro needs to write it’s own directories, we have them owned by the Bro user.


Check out the ROCK NSM project:

ROCK runs Bro without root privileges on RHEL/CentOS 7.3 with SELinux in enforcing mode (setenforce1). ROCK is built using Ansible.



Can you expand on “Cap net admin is not and is strongly discouraged.”

I set that as it’s in the bro documentation as necessary. It’d be great to get that documentation updated if it’s not actually required.


BTW: This may be relevant for some installations as well: https://stackoverflow.com/questions/29099797/raw-capture-capabilities-cap-net-raw-cap-net-admin-not-working-outside-usr-b#30826137

egrep -R CAP_NET_ADMIN linux-4.17 | egrep capable | wc -l


egrep -R CAP_NET_RAW linux-4.17 | egrep capable | wc -l


It’s basically about how many more privileges are granted by the net admin cap. None of them are necessary for the Bro or Suricata to work. I do not want the Bro user to be able to manage every network setting. This is especially important to people with containers.

Above is true unless your capture technology decides otherwise, of course. AF_Packet is OK with just net raw. Myricom SNF needs nothing (and that’s pretty scary).


I believe that's just due to the default permissions of the devices they install:

crw-rw-rw-. 1 root root 241, 0 May 16 08:37 /dev/myriC0
crw-rw-rw-. 1 root root 241, 2 May 16 08:37 /dev/myriC1
crw-rw-rw-. 1 root root 241, 4 May 16 08:37 /dev/myriC2
crw-rw-rw-. 1 root root 241, 6 May 16 08:37 /dev/myriC3
crw-rw-rw-. 1 root root 241, 8 May 16 08:37 /dev/myriC4
crw-rw-rw-. 1 root root 241, 10 May 16 08:37 /dev/myriC5
crw-rw-rw-. 1 root root 241, 12 May 16 08:37 /dev/myriC6
crw-rw-rw-. 1 root root 241, 14 May 16 08:37 /dev/myriC7

You can

chown root:bro /dev/myriC?
chmod 0660 /dev/myriC?

and that should do what you want.

And to your second point - yes, bro documentation needs some improvements when it comes to the afpacket.

Agreed. I put together some of what we have now for starting up a bro cluster using pf_ring since that used to be the only generic option.

Now that af_packet is working almost everywhere I want to add a section to the docs for that. The bro side of things is actually really simple,
most of the effort goes into validating that af_packet is hashing things properly.

Thanks everyone for the input on this, it’s been very helpful, and I think seems to be resulting in some positive things. I received some great info from folks both on and off list.

Side note: Apologies for unintentionally hijacking the subject line marker, I probably should have used parenthesis instead of brackets… : )


I also wrote a plugin awhile back that performs the setcap for you after each install or deploy. Its easy enough to adjust the command line to meet your needs (_raw, _admin, etc):