[Bro] Exclude IPS - only src ip

Seth Hall seth at icir.org
Tue Dec 16 07:42:14 PST 2014

> On Dec 15, 2014, at 8:55 PM, 김희철 <hckim at narusec.com> wrote:
> src_ip I want to filter out is a 'proxy web server ip'. I want to watch only local net work log.
> There is to much proxy_src_ip log that we do not need, other reason is to reduce log amount
> (I am getting live traffic by mirror which our customer is doing, so I do not have any choice)

I believe you’re over-thinking this.  Just remove the “src” from your expressions.  Try something like this…

redef restrict_filters += { 
	["not-nets"] = "not net”

Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list