[Bro] Trying to drop addresses...
robin at icir.org
Tue Dec 9 20:52:20 PST 2008
On Fri, Dec 05, 2008 at 15:43 -0600, you wrote:
> [Drop::AddressDropped] = drop_source,
You nedd to map drop_source to the notice which you want to trigger
the drop, e.g., PortScan or AddressScan. AddressDropped is generated
when an address has been dropped *already* (which won't happen if
you don't assign drop_source to anything else).
> Do I need to modify the notice_policy? I don't see any NOTICE_DROP
> examples in notice-policy.bro.
That would be the alternative. You can either return NOTICE_DROP in
the notice_policy, or assign drop_source in notice_action_filters.
Have you seen this posting about the notice framework?
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro