[Bro] whitelisting

Castle, Shane scastle at bouldercounty.org
Mon Apr 29 07:46:38 PDT 2013

Also, the Bro scripting language is very accessible once you learn its syntax. Check out a great repository at https://github.com/bro/ - especially see the "cheat sheet" link there. With this you can roll you own mods without too much trouble. Jump in!

Shane Castle
Data Security Mgr, Boulder County IT

-----Original Message-----
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Heine Lysemose
Sent: Monday, April 29, 2013 04:45
To: Tracy Reed
Cc: bro at bro.org
Subject: Re: [Bro] whitelisting

Hi Tracy
Have you looked at this, http://code.google.com/p/security-onion/wiki/BPF

On Mon, Apr 29, 2013 at 12:33 PM, Tracy Reed <treed at ultraviolet.org> wrote:

	Hello all,
	I am running Bro 2.1 in Security Onion 12.04 and I am very happy with it. This
	level of detail into what is happening on the network is just amazing! I'm
	beginning to wonder how I ever did without it for so long.
	I have an ssh that happens every 5 minutes which causes a lot of noise.
	I've gone through all of the docs on bro.org and done some googling but can't
	seem to figure out how to whitelist certain connections so they will not
	constantly appear in the bro alarm summaries. I did find this, which contains
	an example for watching ssh to particular hosts which seems related to what I
	am trying to do:
	But what I want is somewhat the opposite: I want to ignore/whitelist
	connections to certain hosts, preferably from certain IP addresses.
	Can anyone suggest how this would be done?
	And while I'm writing (and related to another example in the above URL) I get
	alarms about SSL certs. I would like to add our in-house CA to the list of
	accepted certs. How can I do this?
	Thanks for a great tool!
	Tracy Reed
	Bro mailing list
	bro at bro-ids.org

More information about the Bro mailing list