I am new to Bro, so I might be missing something obvious. I apologies if that is the case. The documentation states that Bro needs to know a list of the local subnets. How large can this list be? I would imagine the larger the list, the more work Bro will need to do to match the local subnets against the traffic. Is there a way not to define local subnets? If you made the traffic analysis be bidirectional, would that be possible?
Thank you.
John
How large can this list be? I would imagine
the larger the list, the more work Bro will need to do to match the local
subnets against the traffic.
Actually, that's not the case. Bro uses patricia trees when matching
subnets (and hash tables for things like sets of addresses), so there's
very little performance penalty for listing your local subnets.
Is there a way not to define local subnets?
Yes, by default, they're not defined.
If you made the traffic analysis be bidirectional, would that be possible?
The analysis is always bidirectional, though some types of activity are
treated differently if perceived as incoming vs. outgoing.
Vern