[Bro] Local Subnet List
vern at icir.org
Mon Nov 6 13:22:29 PST 2006
> How large can this list be? I would imagine
> the larger the list, the more work Bro will need to do to match the local
> subnets against the traffic.
Actually, that's not the case. Bro uses patricia trees when matching
subnets (and hash tables for things like sets of addresses), so there's
very little performance penalty for listing your local subnets.
> Is there a way not to define local subnets?
Yes, by default, they're not defined.
> If you made the traffic analysis be bidirectional, would that be possible?
The analysis is always bidirectional, though some types of activity are
treated differently if perceived as incoming vs. outgoing.
More information about the Bro