[Bro] Global IP host ignore
Jake Middleton
middleton.jake at gmail.com
Mon Jun 25 13:58:07 PDT 2012
Thanks Seth
I'll try to wrap my head around that and make it work.
-j
>From my iPhone.
On Jun 25, 2012, at 3:42 PM, Seth Hall <seth at icir.org> wrote:
>
> On Jun 25, 2012, at 4:26 PM, Jake Middleton wrote:
>
>> I have an install using 8 nodes and a master on a single host. I'm monitoring ~2,000 hosts across a split core and would like to add a global ignore for a handfull of noisy hosts.
>>
>> What's the best approach to handle this?
>
> Unfortunately it's kind of messy right now due to implementation issues in the packet filter framework, but here it goes (it will be fixed in 2.2 probably, I didn't get the rewrite ready for 2.1)…
>
> redef PacketFilter::all_packets = F;
> redef capture_filters = [[ "all"] = "ip or not ip"];
> redef restrict_filters += [ ["not-high-volume-hosts"] = "not host 192.168.1.100 and not host 192.168.2.100"];
>
> You can just set the restrict filter to whatever you want and put that in local.bro.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
More information about the Bro
mailing list