[Bro] Some BPF love....
Tyler T. Schoenke
tyler.schoenke at colorado.edu
Thu Aug 9 07:38:58 PDT 2012
I've only briefly tested SecurityOnion, but in vanilla Bro, you would
add something like this to local.bro. That file is located under
$BROHOME/share/bro/site.
redef restrict_filters += { ["host exemptions"] = "not (host 4.2.2.2)" };
I don't know SecuritiyOnion's layout, but I don't think you want to add
it under spool. That is typically where runtime files are created.
Tyler
--
Tyler Schoenke
Network Security Manager
IT Security Office
University of Colorado at Boulder
On 8/8/12 9:38 AM, Tom OBrion wrote:
> Sent this off to the SecurityOnion group, but probably should have
> sent it here. Oopsy!
>
> Anyway
>
> Please....I know I must be doing something noobish...but man, I have
> tried it 15 ways to Sunday and no love.
>
> editing: /nsm/bro/spool/policy/site/local.bro
>
> added "redef cmd_line_bpf_filter = "not src host ipaddress";
>
> I want to tweak a tad more based on dst port, but need to at least get
> the filter working for the IP.
>
> I then do a check/install/restart
>
> I watch BRO dns.log for the for the IP I added and she shows up. What
> the heck am I missing?
>
> Any help much appreciated.
>
>
More information about the Bro
mailing list