[Bro] CIDR and limitation on indicators

Chris Williams cw13 at umbc.edu
Wed Jan 6 09:54:50 PST 2016

I have been happily utilizing the criticalstack plugin which allows for
integrating a number of feeds as indicators. I am ultimately trying to
establish a system of creating, maintaining, and pushing a blacklist of my
own, but I have come across an issue/question regarding the limitations of

I am currently using the intel framework with 5 feeds and 68k+ indicators.
Their documentation suggested that it can allow the integration of your own
list, and I wanted to try Spamhaus' list located here: [

I wrote Critical Stack to ask about the integration of CIDR blocks as
indicators and I was told:

"The sheer volume of addresses was actually one of the reasons that we did
not include lists like Spamhaus. With the current limitations in Bro of
only being able to handle 100-200K indicators most of the CIDR lists pushed
us way over that limit very quickly.

We did start work on CIDR expansion but it just wasn't going to fit into
the current state of Bro's Intel Framework."

I am curious because the documentation [
https://www.bro.org/sphinx/script-reference/types.html#type-addr] suggests
that BRO can read CIDR notation, so is there an upper limitation with
respect to BRO's indicators? If so, what is it? Is it hardware bound, or
can it be improved somewhow?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160106/db8e8742/attachment.html 

More information about the Bro mailing list