[Bro] Exclude IPS - only src ip
seth at icir.org
Mon Dec 15 07:09:06 PST 2014
> On Dec 15, 2014, at 6:08 AM, 김희철 <hckim at narusec.com> wrote:
> it there a way to filter out only a src_ip?
Are you sure you really want to filter a src address? Because Bro typically needs full duplex traffic to work correctly, it rarely makes sense to filter with a src or dst.
Do you also have multiple “redef restrict_filters” line as you showed? You are doing full value assignment by using “=“ instead of extending the table with “+=“ which will definitely cause you trouble if that’s happening.
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro