[Bro-Dev] Script reorg proposal

Matthias Vallentin vallentin at icir.org
Mon Aug 1 12:36:38 PDT 2011

> Does this make an implicit assumption that only one user is
> configuring the Bro policy for a site or system? 

No, I did not mean to imply a single "Bro admin" per system, although
this is probably common practice.

> Or does bro run as root and hence this would almost always be in
> /root/.bro ?

On many UNIX flavors [1], Bro will probably need to run as root in order to
access the network interfaces. But supporting ~/.bro has also benefits
for users who simply want to do trace analysis (i.e., no root
privileges required) and customize "their" Bro. Another plus is that
rolling Bro updates system-wide or uninstalling Bro is independent of a
user's configuration.


[1] Some BSDs support access control via groups, and IIRC Robin wrote a
    patch for Linux.

More information about the bro-dev mailing list