[Bro] Exclude IPS

Ioannis.PSAROUDAKIS at ec.europa.eu Ioannis.PSAROUDAKIS at ec.europa.eu
Fri Nov 21 03:23:43 PST 2014 

Hi Grant

Thanks for your answer.
I tested your proposal and it runs OK for Bro 2.3.1 running in Ubuntu 14.04 except for the "OR"  operator.
I had to add the second IP to an additional filter line.

Regards,
Ioannis




From: Grant Stavely [mailto:grant at grantstavely.com]
Sent: Tuesday, November 18, 2014 8:14 PM
To: McMahon, Kevin J; bro at bro.org; PSAROUDAKIS Ioannis (CERT-EU)
Subject: Re: [Bro] Exclude IPS

Hi Ioannis,

Docs: https://www.bro.org/sphinx/scripts/base/frameworks/packet-filter/main.bro.html

I use this in my local.bro. A redef of restrict_filters should work too:

################################################################################
# Capture filter
################################################################################
event bro_init() &priority=-12
            {
            restrict_filters["Ioannis.PSAROUDAKIS at ec.europa.eu<mailto:Ioannis.PSAROUDAKIS at ec.europa.eu>"] = "not host x.x.x.x or net x.x.x.x/x or...";
            PacketFilter::install();
            }

Grant




On November 18, 2014 at 9:58:28 AM, McMahon, Kevin J (kmcmahon at mitre.org<mailto:kmcmahon at mitre.org>) wrote:
redef restrict_filters += [[“blockedIPs”] = “not net 192.168.1.0/24”];

I think you may need to also include: redef PacketFilter::all_packets = F;  I have both of these statements in my config, but I put them in there a long time ago.


From: bro-bounces at bro.org<mailto:bro-bounces at bro.org> [mailto:bro-bounces at bro.org] On Behalf Of Ioannis.PSAROUDAKIS at ec.europa.eu<mailto:Ioannis.PSAROUDAKIS at ec.europa.eu>
Sent: Tuesday, November 18, 2014 12:07 PM
To: bro at bro.org<mailto:bro at bro.org>
Subject: [Bro] Exclude IPS

Hi All,

I am running the latest version of Bro and I would like to exclude (not at all log) events from specific IPs.
Can someone provide me with a link/info on how to do this?

Thnx for your time.

Regards
Ioannis
_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141121/030f7062/attachment.html

More information about the Bro mailing list