On Bro's configuration file

I didn't see a response, but perhaps I missed it.

"LinuxBSDos.com" <finid@vivaldi.net> writes:

1. In node.cfg, what if I have two interfaces on a server that I'll like
to monitor, can I add the second interface, like

No, you'll either need to create a bond interface, or add two entries in there.

2. Regarding the networks.cfg file, it says it's a "List of local
networks", while the docs says it's list of "networks that Bro will
consider local to the monitored environment".

By "local", does that mean _any_ IP address network associated with the
server, including that that a private interface belongs to, and the
loopback interface?

Most deployments add RFC-1918 space to that list as well. That list
mainly feeds a helper function, Site::is_local_addr [1]. This is used in
a few places, such as known_hosts. It's mainly used to differentiate
"your" networks from "other" networks. If you have some RFC-1918 space
that isn't yours, you should consider not including that there, and
possibly listing it as a neighbor network.


[1] - <https://www.bro.org/sphinx/scripts/base/utils/site.bro.html?highlight=is_local#id-Site::is_local_addr>