[Bro] Exclude IPS - only src ip

김희철 hckim at narusec.com
Mon Dec 15 03:08:15 PST 2014


I used to filter ip by adding this command to local.bro

redef restrict_filters = { ["not-hosts"] = "not host X.X.X.X" };

but now I want to filter out only src_ip(in bro id.orig_h)
I tried
redef restrict_filters = { ["not-nets"] = "not src net X.X.X.X" };
redef restrict_filters = { ["not-nets"] = "!src net X.X.X.X" };
redef restrict_filters = { ["not-nets"] = "not(src net X.X.X.X)" };

but it does not filter a ip I want from src_ip

it there a way to filter out only a src_ip?

Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141215/5c2be198/attachment.html 

More information about the Bro mailing list