[Bro] event suppression

Martin Arlitt martin.arlitt at ucalgary.ca
Tue Feb 16 06:50:23 PST 2016


the event suppression in Bro does not appear to work the way I thought 
it would. For example, in my notice.log file, the suppress_for value 
always appears to be 3600. In misc/scan.bro (loaded in local.bro), 
addr_scan_interval and port_scan_interval both are set to 5min by 
default, yet still report 3600 in the suppress_for column of the log. Is 
there something obvious that I am overlooking?

thanks Martin

More information about the Bro mailing list