[Bro] Filtering out hosts from notices

David Vasil davidvasil at gmail.com
Wed Aug 6 06:35:13 PDT 2014


I'm sure this has been documented somewhere, but I have been unable to find
it thus far.  How do you define suppression criteria for individual
notices?  For example, SSH::Interesting_Hostname_Login is triggering for me
quite a bit on an ftp server that also provides sftp access; I'd like to
suppress all notices to this system (e.g. ip: 192.168.0.100, hostname:
ftp.mydomain.org).  Would this be a redef of 'interesting_hostnames' to
something like:

(/^d?ns[0-9]*\./ |
/^smtp[0-9]*\./ |
/^mail[0-9]*\./ |
/^pop[0-9]*\./  |
/^imap[0-9]*\./ |
/^www[0-9]*\./  |
/^ftp[0-9]*\./) & !(ftp.mydomain.org) &redef;

Thanks!
-David Vasil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140806/a2c3ed69/attachment.html 


More information about the Bro mailing list