[Bro] Broctl policy files

Seth Hall seth at icir.org
Tue Apr 29 06:37:58 PDT 2014

On Apr 29, 2014, at 9:17 AM, M K <mkhan04 at gmail.com> wrote:

> Is there any guidance/information as to how things should be split up between the 3 types of site policies (manager, proxy, worker). Can it actually make a difference in performance or is it mainly there for organization purposes?

This has been an especially weak area for us regarding documentation.  I've actually been considering removing the local-manager.bro, local-worker.bro, and local-proxy.bro files for quite a while now because in most cases the frameworks are cluster capable and you don't need to do anything special (i.e. the right stuff runs in the right place automatically).

> As far as I can tell the docs only mention that notice filtering needs to be done on the manager and everything else can go into the generic local.bro file. Is there any further guidance?

You can do the filtering in local.bro.  The local-*.bro files are a hold over from back when we were still very unclear on how to achieve cluster transparency in a lot of code we were writing.  As more of our code has grown to cope with clusters automatically we've never found a strong need for users to be exposed to the node differentiation which is frequently quite difficult to get right anyway.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140429/39edd981/attachment.bin 

More information about the Bro mailing list