[Bro] On Bro's configuration file
Vlad Grigorescu
vladg at illinois.edu
Tue May 16 09:49:51 PDT 2017
I didn't see a response, but perhaps I missed it.
"LinuxBSDos.com" <finid at vivaldi.net> writes:
> 1. In node.cfg, what if I have two interfaces on a server that I'll like
> to monitor, can I add the second interface, like
> "interface=eth0,eth1"?
No, you'll either need to create a bond interface, or add two entries in there.
> 2. Regarding the networks.cfg file, it says it's a "List of local
> networks", while the docs says it's list of "networks that Bro will
> consider local to the monitored environment".
>
> By "local", does that mean _any_ IP address network associated with the
> server, including that that a private interface belongs to, and the
> loopback interface?
Most deployments add RFC-1918 space to that list as well. That list
mainly feeds a helper function, Site::is_local_addr [1]. This is used in
a few places, such as known_hosts. It's mainly used to differentiate
"your" networks from "other" networks. If you have some RFC-1918 space
that isn't yours, you should consider not including that there, and
possibly listing it as a neighbor network.
--Vlad
[1] - <https://www.bro.org/sphinx/scripts/base/utils/site.bro.html?highlight=is_local#id-Site::is_local_addr>
More information about the Bro
mailing list