[Bro] On Bro's configuration file
vladg at illinois.edu
Tue May 16 09:49:51 PDT 2017
I didn't see a response, but perhaps I missed it.
"LinuxBSDos.com" <finid at vivaldi.net> writes:
> 1. In node.cfg, what if I have two interfaces on a server that I'll like
> to monitor, can I add the second interface, like
No, you'll either need to create a bond interface, or add two entries in there.
> 2. Regarding the networks.cfg file, it says it's a "List of local
> networks", while the docs says it's list of "networks that Bro will
> consider local to the monitored environment".
> By "local", does that mean _any_ IP address network associated with the
> server, including that that a private interface belongs to, and the
> loopback interface?
Most deployments add RFC-1918 space to that list as well. That list
mainly feeds a helper function, Site::is_local_addr . This is used in
a few places, such as known_hosts. It's mainly used to differentiate
"your" networks from "other" networks. If you have some RFC-1918 space
that isn't yours, you should consider not including that there, and
possibly listing it as a neighbor network.
 - <https://www.bro.org/sphinx/scripts/base/utils/site.bro.html?highlight=is_local#id-Site::is_local_addr>
More information about the Bro