[Bro] whitelisting

Heine Lysemose lysemose at gmail.com
Mon Apr 29 03:45:06 PDT 2013

Hi Tracy

Have you looked at this, http://code.google.com/p/security-onion/wiki/BPF


On Mon, Apr 29, 2013 at 12:33 PM, Tracy Reed <treed at ultraviolet.org> wrote:

> Hello all,
> I am running Bro 2.1 in Security Onion 12.04 and I am very happy with it.
> This
> level of detail into what is happening on the network is just amazing! I'm
> beginning to wonder how I ever did without it for so long.
> I have an ssh that happens every 5 minutes which causes a lot of noise.
> I've gone through all of the docs on bro.org and done some googling but
> can't
> seem to figure out how to whitelist certain connections so they will not
> constantly appear in the bro alarm summaries. I did find this, which
> contains
> an example for watching ssh to particular hosts which seems related to
> what I
> am trying to do:
> http://www.bro.org/sphinx/quickstart.html#deployment-customization
> But what I want is somewhat the opposite: I want to ignore/whitelist
> connections to certain hosts, preferably from certain IP addresses.
> Can anyone suggest how this would be done?
> And while I'm writing (and related to another example in the above URL) I
> get
> alarms about SSL certs. I would like to add our in-house CA to the list of
> accepted certs. How can I do this?
> Thanks for a great tool!
> --
> Tracy Reed
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130429/aa127567/attachment.html 

More information about the Bro mailing list