Broctl policy files

Is there any guidance/information as to how things should be split up between the 3 types of site policies (manager, proxy, worker). Can it actually make a difference in performance or is it mainly there for organization purposes?

As far as I can tell the docs only mention that notice filtering needs to be done on the manager and everything else can go into the generic local.bro file. Is there any further guidance?

Is there any guidance/information as to how things should be split up between the 3 types of site policies (manager, proxy, worker). Can it actually make a difference in performance or is it mainly there for organization purposes?

This has been an especially weak area for us regarding documentation. I've actually been considering removing the local-manager.bro, local-worker.bro, and local-proxy.bro files for quite a while now because in most cases the frameworks are cluster capable and you don't need to do anything special (i.e. the right stuff runs in the right place automatically).

As far as I can tell the docs only mention that notice filtering needs to be done on the manager and everything else can go into the generic local.bro file. Is there any further guidance?

You can do the filtering in local.bro. The local-*.bro files are a hold over from back when we were still very unclear on how to achieve cluster transparency in a lot of code we were writing. As more of our code has grown to cope with clusters automatically we've never found a strong need for users to be exposed to the node differentiation which is frequently quite difficult to get right anyway.

  .Seth