I think that ther should be some way to localize information about
hostnames of machines involved into the policies. It is rather difficult
to navigate through lots of policies-files.
Yes, I strongly agree. There will be features in the 0.7 release for doing
just this.
Qest: How can I know that bro works properly? As far as I remember, I
didn't install additional required libs, but it works.
Many systems come with the required library (libpcap) already installed.
After checking
policy-files, it told that it's lissening on interface ed0.Can I be sure
that it is true.
You can believe the interface it claims to be listening on, that code
is copied straight from tcpdump.
To test it, create a connection that should be observed from the interface,
terminate it, and see if Bro records it in the red.* output file.
Vern