[Bro] Question about scan whitelisting ...
Michael Wenthold
michael.wenthold at gmail.com
Thu Feb 19 08:33:11 PST 2015
I've been tinkering with the scan detection in Bro (2.3.2) and I was
wondering if this was the most effective method for whitelisting hosts:
const scanners_whitelist {
x.x.x.x
};
hook Notice::policy(n: Notice::Info)
{
if ( n$note == Scan::Port_Scan && n?$src && (n$src in scanners_whitelist)
)
{
print n$src;
delete n$actions[Notice::ACTION_LOG];
};
}
Please let me know if there's a better/more efficient method. Thanks!
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150219/fc367c9b/attachment.html
More information about the Bro
mailing list