[Bro] Exclude IPS
Ioannis.PSAROUDAKIS at ec.europa.eu
Ioannis.PSAROUDAKIS at ec.europa.eu
Fri Nov 21 03:21:06 PST 2014
Hi all,
Thank you for your answers.
Indeed it works fine for Bro 2.3.1 running in Ubuntu 14.04.
From: 김희철 [mailto:hckim at narusec.com]
Sent: Thursday, November 20, 2014 6:55 AM
To: Seth Hall
Cc: PSAROUDAKIS Ioannis (CERT-EU); bro at bro.org
Subject: Re: [Bro] Exclude IPS
Hi Seth
Thank you
I put
redef restrict_filters = { ["not-hosts"] = "not host X.X.X.X" };
in a local.bro and it worked. very simple oneliner
Thank's
On Wed, Nov 19, 2014 at 11:09 PM, Seth Hall <seth at icir.org<mailto:seth at icir.org>> wrote:
> On Nov 18, 2014, at 7:54 PM, 김희철 <hckim at narusec.com<mailto:hckim at narusec.com>> wrote:
>
> redef PacketFilter::enable_auto_protocol_capture_filters = F;
>
> redef capture_filters = { ["all"] = "ip or not ip" };
>
>
> local-worker.bro:
>
> redef restrict_filters = { ["not-hosts"] = "not host X.X.X.X" };
Hi Hichul!
You could actually simplify this all by just putting that last line in local.bro. The rest aren't necessary.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141121/e9254c75/attachment.html
More information about the Bro
mailing list