[Bro] BPF?

Jeremy Hoel jthoel at gmail.com
Thu Jan 16 09:37:13 PST 2014 

Just as a side note, there are some apps that will send clear text
over 443.. so you also won't be looking at those if you limit that
port.

On Thu, Jan 16, 2014 at 4:58 PM, George Insko <ginsko3 at gmail.com> wrote:
> I think just the amount of traffic coming in is my issue. So, I am trying to
> block things I can do little about. Hoping in vain that this will let me
> focus on the sloppy hackers and the low hanging fruit.
>
> This is not my primary IDS so missing somethings is ok.
>
>
> On Thu, Jan 16, 2014 at 10:53 AM, Vlad Grigorescu <vladg at cmu.edu> wrote:
>>
>> Would it be sufficient to disable the SSL analyzer? That way you don't
>> have to play the port shell game, but you don't get an ssl.log or any
>> SSL-related notices, if that's your concern.
>>
>>   --Vlad
>>
>> On Jan 16, 2014, at 10:40 AM, Mike Patterson <mike.patterson at uwaterloo.ca>
>> wrote:
>>
>> > If you’re anxious to avoid any SSL traffic based on port exclusions, you
>> > might consider other well-known ports - 587, 465, etc.
>> >
>> > Mike
>> >
>> > On Jan 16, 2014, at 10:39 AM, George Insko <ginsko3 at gmail.com> wrote:
>> >
>> >> Good call. Thanks.
>> >>
>> >>
>> >> On Thu, Jan 16, 2014 at 10:33 AM, Seth Hall <seth at icir.org> wrote:
>> >>
>> >> On Jan 16, 2014, at 10:12 AM, George Insko <ginsko3 at gmail.com> wrote:
>> >>
>> >>> #Nothing from src host to dst port
>> >>> !(src host 0.0.0.0/0 && dst port 443) &&
>> >>> Does that make sense and will it work? Do you all have any other ways
>> >>> to permanently filter traffic?
>> >>
>> >> I think you meant to do…
>> >>
>> >> (not src port 443 and not dst port 443)
>> >>
>> >>  .Seth
>> >>
>> >>
>> >> --
>> >> Seth Hall
>> >> International Computer Science Institute
>> >> (Bro) because everyone has a network
>> >> http://www.bro.org/
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> George Insko
>> >> Email:    ginsko3 at gmail.com
>> >> Twitter: @ginsko3
>> >> _______________________________________________
>> >> Bro mailing list
>> >> bro at bro-ids.org
>> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> >
>> >
>> > _______________________________________________
>> > Bro mailing list
>> > bro at bro-ids.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
>
> --
> George Insko
> Email:    ginsko3 at gmail.com
> Twitter: @ginsko3
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list