[Bro] Exclude IPS
Grant Stavely
grant at grantstavely.com
Tue Nov 18 11:14:12 PST 2014
Hi Ioannis,
Docs: https://www.bro.org/sphinx/scripts/base/frameworks/packet-filter/main.bro.html
I use this in my local.bro. A redef of restrict_filters should work too:
################################################################################
# Capture filter
################################################################################
event bro_init() &priority=-12
{
restrict_filters["Ioannis.PSAROUDAKIS at ec.europa.eu"] = "not host x.x.x.x or net x.x.x.x/x or...";
PacketFilter::install();
}
Grant
On November 18, 2014 at 9:58:28 AM, McMahon, Kevin J (kmcmahon at mitre.org) wrote:
redef restrict_filters += [[“blockedIPs”] = “not net 192.168.1.0/24”];
I think you may need to also include: redef PacketFilter::all_packets = F; I have both of these statements in my config, but I put them in there a long time ago.
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Ioannis.PSAROUDAKIS at ec.europa.eu
Sent: Tuesday, November 18, 2014 12:07 PM
To: bro at bro.org
Subject: [Bro] Exclude IPS
Hi All,
I am running the latest version of Bro and I would like to exclude (not at all log) events from specific IPs.
Can someone provide me with a link/info on how to do this?
Thnx for your time.
Regards
Ioannis
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141118/74f8457e/attachment.html
More information about the Bro
mailing list