[Bro] SSH:ignore_guessers
David Vasil
davidvasil at gmail.com
Fri Oct 17 05:49:20 PDT 2014
I would like to redef my SSH::ignore_guessers to exclude hosts that I know
will be consistently triggering the SSH::Password_Guessing alert due to
legitimate business processes. I've tried the following (10.0.0.2 is the
host performing the scanning in this example):
redef SSH::ignore_guessers += {
[10.0.0.2/32] = 211.11.11.211/32,
[10.0.0.2/32] = 10.2.2.2/32,
};
in my local.bro, did a broctl check/broctl install/broctl restart, but I
still receive alerts. I am assuming that the key-value format I am trying
to use is incorrect, but the code only states:
## The index represents client subnets and the yield value represents
server subnets.
How does one set SSH:ignore_guessers like I am trying to do?
Thanks!
-Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141017/02f0e62b/attachment.html
More information about the Bro
mailing list