First off, I hope everyone had (is having) a happy holiday season.
I've finally got the daily Bro reporting mechanism working and sending out emails as I expected. However, after letting it run for a few days, I'm starting to notice something that's a little unusual. The Bytes In/Bytes Out pair as well as the Local Host/Remote Host pairs seem to be opposite.
For example, it will say something like:
Local Remote Conn.
Local Host Remote Host Bytes Bytes Count
----------------------- ----------------------- --------- --------- -------
some.externalhost.com my.internalhost.com 1562 K 142902 2136
This is the exact opposite of what is the actual traffic pattern. Is there a way that I can tell Bro that my /28 subnet is "local" and everything else is "remote"? I don't seem to see anything like that in the configuration files.
Thanks so much!
-Eric
Eric Wages
COLSA Corporation
Operations Manager, HMT ROC
256-721-0372, ext 110