[Bro] Exclude IPS - only src ip
김희철
hckim at narusec.com
Mon Dec 15 17:55:07 PST 2014
src_ip I want to filter out is a 'proxy web server ip'. I want to watch
only local net work log.
There is to much proxy_src_ip log that we do not need, other reason is to
reduce log amount
(I am getting live traffic by mirror which our customer is doing, so I do
not have any choice)
I did not write multiple “redef restrict_filters” line. I ran one line at
a time.
Thank you
On Tue, Dec 16, 2014 at 12:09 AM, Seth Hall <seth at icir.org> wrote:
>
>
> > On Dec 15, 2014, at 6:08 AM, 김희철 <hckim at narusec.com> wrote:
> >
> > it there a way to filter out only a src_ip?
>
> Are you sure you really want to filter a src address? Because Bro
> typically needs full duplex traffic to work correctly, it rarely makes
> sense to filter with a src or dst.
>
> Do you also have multiple “redef restrict_filters” line as you showed?
> You are doing full value assignment by using “=“ instead of extending the
> table with “+=“ which will definitely cause you trouble if that’s happening.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141216/48b74eaf/attachment.html
More information about the Bro
mailing list