[Bro] Global IP host ignore

Jake Middleton middleton.jake at gmail.com
Mon Jun 25 13:58:07 PDT 2012

Thanks Seth

I'll try to wrap my head around that and make it work.


>From my iPhone.

On Jun 25, 2012, at 3:42 PM, Seth Hall <seth at icir.org> wrote:

> On Jun 25, 2012, at 4:26 PM, Jake Middleton wrote:
>> I have an install using 8 nodes and a master on a single host.  I'm monitoring ~2,000 hosts across a split core and would like to add a global ignore for a handfull of noisy hosts.
>> What's the best approach to handle this?
> Unfortunately it's kind of messy right now due to implementation issues in the packet filter framework, but here it goes (it will be fixed in 2.2 probably, I didn't get the rewrite ready for 2.1)…
> redef PacketFilter::all_packets = F;
> redef capture_filters = [[ "all"] = "ip or not ip"];
> redef restrict_filters += [ ["not-high-volume-hosts"] = "not host and not host"];
> You can just set the restrict filter to whatever you want and put that in local.bro.
>  .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/

More information about the Bro mailing list