[Bro] CIDR and limitation on indicators
Azoff, Justin S
jazoff at illinois.edu
Wed Jan 6 10:11:34 PST 2016
> On Jan 6, 2016, at 12:54 PM, Chris Williams <cw13 at umbc.edu> wrote:
> I am curious because the documentation [https://www.bro.org/sphinx/script-reference/types.html#type-addr] suggests that BRO can read CIDR notation, so is there an upper limitation with respect to BRO's indicators? If so, what is it? Is it hardware bound, or can it be improved somewhow?
This has come up a few times, there isn't a huge technical reason why the intel framework could not be modified to handle CIDR blocks as well as individual hosts.
The one potential problem is overlap. If one indicator exists for 192.168.1.0/24 and another has 192.168.0.0/16, a match for 192.168.1.1 will only pull up the record for the larger prefix. This can be a problem if you are really need the information present in both entries.
The most recent ticket I can find about this is https://bro-tracker.atlassian.net/browse/BIT-1167
That has a patch, but it needs to be modified as the comments mention.
- Justin Azoff
More information about the Bro