[Bro] Global IP host ignore
Seth Hall
seth at icir.org
Mon Jun 25 13:42:56 PDT 2012
On Jun 25, 2012, at 4:26 PM, Jake Middleton wrote:
> I have an install using 8 nodes and a master on a single host. I'm monitoring ~2,000 hosts across a split core and would like to add a global ignore for a handfull of noisy hosts.
>
> What's the best approach to handle this?
Unfortunately it's kind of messy right now due to implementation issues in the packet filter framework, but here it goes (it will be fixed in 2.2 probably, I didn't get the rewrite ready for 2.1)…
redef PacketFilter::all_packets = F;
redef capture_filters = [[ "all"] = "ip or not ip"];
redef restrict_filters += [ ["not-high-volume-hosts"] = "not host 192.168.1.100 and not host 192.168.2.100"];
You can just set the restrict filter to whatever you want and put that in local.bro.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list