[Bro] Exclude IPS

Ioannis.PSAROUDAKIS at ec.europa.eu Ioannis.PSAROUDAKIS at ec.europa.eu
Fri Nov 21 03:21:06 PST 2014

Hi all,

Thank you for your answers.
Indeed it works fine for Bro 2.3.1 running in Ubuntu 14.04.

From: 김희철 [mailto:hckim at narusec.com]
Sent: Thursday, November 20, 2014 6:55 AM
To: Seth Hall
Cc: PSAROUDAKIS Ioannis (CERT-EU); bro at bro.org
Subject: Re: [Bro] Exclude IPS

Hi Seth
Thank you

I put
redef restrict_filters = { ["not-hosts"] = "not host X.X.X.X" };
in a local.bro and it worked. very simple oneliner


On Wed, Nov 19, 2014 at 11:09 PM, Seth Hall <seth at icir.org<mailto:seth at icir.org>> wrote:

> On Nov 18, 2014, at 7:54 PM, 김희철 <hckim at narusec.com<mailto:hckim at narusec.com>> wrote:
> redef PacketFilter::enable_auto_protocol_capture_filters = F;
> redef capture_filters = { ["all"] = "ip or not ip" };
> local-worker.bro:
> redef restrict_filters = { ["not-hosts"] = "not host X.X.X.X" };

Hi Hichul!

You could actually simplify this all by just putting that last line in local.bro.  The rest aren't necessary.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141121/e9254c75/attachment.html 

More information about the Bro mailing list