[Bro] On Bro's configuration file

Vlad Grigorescu vladg at illinois.edu
Tue May 16 09:49:51 PDT 2017

I didn't see a response, but perhaps I missed it.

"LinuxBSDos.com" <finid at vivaldi.net> writes:

> 1. In node.cfg, what if I have two interfaces on a server that I'll like 
> to monitor, can I add the second interface, like
> "interface=eth0,eth1"?

No, you'll either need to create a bond interface, or add two entries in there.

> 2. Regarding the networks.cfg file, it says it's a "List of local 
> networks", while the docs says it's list of "networks that Bro will 
> consider local to the monitored environment".
> By "local", does that mean _any_ IP address network associated with the 
> server, including that that a private interface belongs to, and the 
> loopback interface?

Most deployments add RFC-1918 space to that list as well. That list
mainly feeds a helper function, Site::is_local_addr [1]. This is used in
a few places, such as known_hosts. It's mainly used to differentiate
"your" networks from "other" networks. If you have some RFC-1918 space
that isn't yours, you should consider not including that there, and
possibly listing it as a neighbor network.


[1] - <https://www.bro.org/sphinx/scripts/base/utils/site.bro.html?highlight=is_local#id-Site::is_local_addr>

More information about the Bro mailing list