[Bro] whitelisting
Heine Lysemose
lysemose at gmail.com
Mon Apr 29 03:45:06 PDT 2013
Hi Tracy
Have you looked at this, http://code.google.com/p/security-onion/wiki/BPF
/Lysemose
On Mon, Apr 29, 2013 at 12:33 PM, Tracy Reed <treed at ultraviolet.org> wrote:
> Hello all,
>
> I am running Bro 2.1 in Security Onion 12.04 and I am very happy with it.
> This
> level of detail into what is happening on the network is just amazing! I'm
> beginning to wonder how I ever did without it for so long.
>
> I have an ssh that happens every 5 minutes which causes a lot of noise.
>
> I've gone through all of the docs on bro.org and done some googling but
> can't
> seem to figure out how to whitelist certain connections so they will not
> constantly appear in the bro alarm summaries. I did find this, which
> contains
> an example for watching ssh to particular hosts which seems related to
> what I
> am trying to do:
>
> http://www.bro.org/sphinx/quickstart.html#deployment-customization
>
> But what I want is somewhat the opposite: I want to ignore/whitelist
> connections to certain hosts, preferably from certain IP addresses.
>
> Can anyone suggest how this would be done?
>
> And while I'm writing (and related to another example in the above URL) I
> get
> alarms about SSL certs. I would like to add our in-house CA to the list of
> accepted certs. How can I do this?
>
> Thanks for a great tool!
>
> --
> Tracy Reed
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130429/aa127567/attachment.html
More information about the Bro
mailing list