[Bro] Global IP host ignore

Seth Hall seth at icir.org
Mon Jun 25 13:42:56 PDT 2012

On Jun 25, 2012, at 4:26 PM, Jake Middleton wrote:

> I have an install using 8 nodes and a master on a single host.  I'm monitoring ~2,000 hosts across a split core and would like to add a global ignore for a handfull of noisy hosts.
> What's the best approach to handle this?

Unfortunately it's kind of messy right now due to implementation issues in the packet filter framework, but here it goes (it will be fixed in 2.2 probably, I didn't get the rewrite ready for 2.1)…

redef PacketFilter::all_packets = F;
redef capture_filters = [[ "all"] = "ip or not ip"];
redef restrict_filters += [ ["not-high-volume-hosts"] = "not host and not host"];

You can just set the restrict filter to whatever you want and put that in local.bro.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list