I am thinking to install some bro sensors in our infrastructure under
CentOS and FreeBSD hosts using the new release 2.2. My idea is to use
bro cluster features to setup centralized configs and logs. But after
reading doc section about this type of deployment I have some doubts:
a) Policy rules: Do they need to be stored in the manager or can I
deploy different rules for every bro worker? For example, if I setup
worker A and worker B and I will to deploy only 10 rules for worker A
and 20 for worker B, how can I do?
b) About *.cfg files: Do I need to configure these files on every
worker or only on the manager? But if it is only on the manger side
and workers needs to monitor different networks as a internal
networks, how can I segregate this?
c) About bpf filters: In this new release (2.2), Is it possible to
add bpf filters out-of-the-box or do I need to implement customized
scripts, like for example securityonion does?