scastle at bouldercounty.org
Mon Apr 29 07:46:38 PDT 2013
Also, the Bro scripting language is very accessible once you learn its syntax. Check out a great repository at https://github.com/bro/ - especially see the "cheat sheet" link there. With this you can roll you own mods without too much trouble. Jump in!
Data Security Mgr, Boulder County IT
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Heine Lysemose
Sent: Monday, April 29, 2013 04:45
To: Tracy Reed
Cc: bro at bro.org
Subject: Re: [Bro] whitelisting
Have you looked at this, http://code.google.com/p/security-onion/wiki/BPF
On Mon, Apr 29, 2013 at 12:33 PM, Tracy Reed <treed at ultraviolet.org> wrote:
I am running Bro 2.1 in Security Onion 12.04 and I am very happy with it. This
level of detail into what is happening on the network is just amazing! I'm
beginning to wonder how I ever did without it for so long.
I have an ssh that happens every 5 minutes which causes a lot of noise.
I've gone through all of the docs on bro.org and done some googling but can't
seem to figure out how to whitelist certain connections so they will not
constantly appear in the bro alarm summaries. I did find this, which contains
an example for watching ssh to particular hosts which seems related to what I
am trying to do:
But what I want is somewhat the opposite: I want to ignore/whitelist
connections to certain hosts, preferably from certain IP addresses.
Can anyone suggest how this would be done?
And while I'm writing (and related to another example in the above URL) I get
alarms about SSL certs. I would like to add our in-house CA to the list of
accepted certs. How can I do this?
Thanks for a great tool!
Bro mailing list
bro at bro-ids.org
More information about the Bro