[Bro] Exclude IPS - only src ip
Seth Hall
seth at icir.org
Tue Dec 16 07:42:14 PST 2014
> On Dec 15, 2014, at 8:55 PM, 김희철 <hckim at narusec.com> wrote:
>
> src_ip I want to filter out is a 'proxy web server ip'. I want to watch only local net work log.
> There is to much proxy_src_ip log that we do not need, other reason is to reduce log amount
> (I am getting live traffic by mirror which our customer is doing, so I do not have any choice)
�
I believe you’re over-thinking this. Just remove the “src” from your expressions. Try something like this…
redef restrict_filters += {
["not-nets"] = "not net 1.2.3.0/24”
};
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list