[Bro] SQLite logging and as white/blacklist in a cluster

Papulis, George george.papulis at wustl.edu
Wed Oct 26 14:24:47 PDT 2016


We do not use the notice log in this instance, but using the &synchronized and &create_expire attributes look perfect for what I'm trying to accomplish, and significantly easier to use, haha.


Thanks Justin!

________________________________
From: Azoff, Justin S <jazoff at illinois.edu>
Sent: Wednesday, October 26, 2016 3:24:10 PM
To: Papulis, George
Cc: bro at bro.org
Subject: Re: [Bro] SQLite logging and as white/blacklist in a cluster


> On Oct 26, 2016, at 4:15 PM, Papulis, George <george.papulis at wustl.edu> wrote:
>
> Just once a day

If you are raising a notice, you can use suppression that is built in:

https://www.bro.org/sphinx-git/frameworks/notice.html#automated-suppression

otherwise see how the known hosts policy does it:

https://www.bro.org/sphinx/_downloads/known-hosts.bro



--
- Justin Azoff


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161026/cc631353/attachment-0001.html 


More information about the Bro mailing list