[Bro] SSH Login Notices - Filter out internal to internal connections
Seth Hall
seth at icir.org
Fri Nov 16 20:46:59 PST 2012
On Nov 16, 2012, at 11:11 PM, Mike Kolkebeck <mkolkebeck at gmail.com> wrote:
> SSH::Login Notices for internal to internal connections can get fairly noisy.
>
> What is the most efficient way to filter out these notices for internal to internal without filtering for external connections?
redef Notice::policy += {
[$pred(n: Notice::Info) = {
return ( n$note == SSH::Login &&
Site::is_local_addr(n$id$orig_h) &&
Site::is_local_addr(n$id$resp_h) );
},
$priority=10,
$halt=T]
};
BTW, this answer is nasty and we're working now on making this generally easier for the next release.
Your approach of generating your own notice works well too.
I was considering removing the SSH::Login notice anyway. It's an anachronism of an older style of scripting and isn't so relevant anymore. Does anyone have any thoughts on the removal of the SSH::Login notice? Anyone actively use it?
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list