[Bro] Question about scan whitelisting ...

Michael Wenthold michael.wenthold at gmail.com
Thu Feb 19 08:33:11 PST 2015

I've been tinkering with the scan detection in Bro (2.3.2) and I was
wondering if this was the most effective method for whitelisting hosts:

const scanners_whitelist {

hook Notice::policy(n: Notice::Info)
  if ( n$note == Scan::Port_Scan && n?$src && (n$src in scanners_whitelist)
    print n$src;
    delete n$actions[Notice::ACTION_LOG];

Please let me know if there's a better/more efficient method. Thanks!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150219/fc367c9b/attachment.html 

More information about the Bro mailing list