[Bro] local network warning

Jon Siwek jsiwek at corelight.com
Tue Sep 11 13:45:26 PDT 2018


On Tue, Sep 11, 2018 at 2:45 PM john Y <yjohn9691 at gmail.com> wrote:

> when i run bro command : "bro -r ./file.pcap ./script_path" warning is being shown : "no site :: local_nets have not been defined. its good idea to define your local network."
>
> Why is it recommended to define local network, althogh i am reading pcap file?

It's just a suggestion and typically only seen if you load the
tunings/defaults/warnings.bro script usually via site/local.bro.  It's
recommended because some scripts make decisions based on it and raise
notices only if an event in question concerns a host in a local
network.  If you're only interested in using Bro for the just the
protocol analysis aspect of things and not interested in these sorts
of policy decisions that it can make, you can probably just ignore the
warning.

> How do i define the network? where?

You can load a custom script that does something like:

    redef Site::local_nets += { 192.168.0.0/16, 10.0.0.0/8 };

Or just add it to the command-line:

    bro -r ./file.pcap ./script_path "Site::local_nets += {
192.168.0.0/16, 10.0.0.0/8 }"

- Jon


More information about the Bro mailing list