[Bro] Email Notice Suppression
scotty.b.brown at gmail.com
Mon Aug 31 16:45:10 PDT 2015
I'm running bro 2.4 and have just added a bunch of critical stack intel
feeds. All is working well.
One of the feeds I have is a list of TOR ips, and once I set notices to
true for the critical stack intel I start getting emails (I've set up
email alerting for notices).
What I would like to do is suppress email alerts for a particular notice
from a particular src host.
1441063489.889373 CEyDP6zbg6ngOFFa 10.10.10.10 45969
22.214.171.124 443 - - - 126.96.36.199
Intel::ADDR Conn::IN_RESP sensor-eth1-1 from
https://www.dan.me.uk/torlist/ via intel.criticalstack.com
So any notice that fires from src 10.10.10.10 for the torlist intel -
I'd still like to see the notice in the intel file - but not get the
More information about the Bro