[Bro] Exclude IPS
Seth Hall
seth at icir.org
Wed Nov 19 06:09:09 PST 2014
> On Nov 18, 2014, at 7:54 PM, 김희철 <hckim at narusec.com> wrote:
>
> redef PacketFilter::enable_auto_protocol_capture_filters = F;
>
> redef capture_filters = { ["all"] = "ip or not ip" };
>
>
> local-worker.bro:
>
> redef restrict_filters = { ["not-hosts"] = "not host X.X.X.X" };
Hi Hichul!
You could actually simplify this all by just putting that last line in local.bro. The rest aren't necessary.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list