I didn't see a response, but perhaps I missed it.
1. In node.cfg, what if I have two interfaces on a server that I'll like
to monitor, can I add the second interface, like
No, you'll either need to create a bond interface, or add two entries in there.
2. Regarding the networks.cfg file, it says it's a "List of local
networks", while the docs says it's list of "networks that Bro will
consider local to the monitored environment".
By "local", does that mean _any_ IP address network associated with the
server, including that that a private interface belongs to, and the
Most deployments add RFC-1918 space to that list as well. That list
mainly feeds a helper function, Site::is_local_addr . This is used in
a few places, such as known_hosts. It's mainly used to differentiate
"your" networks from "other" networks. If you have some RFC-1918 space
that isn't yours, you should consider not including that there, and
possibly listing it as a neighbor network.