[Bro] Question about scan whitelisting ...

Michael Wenthold michael.wenthold at gmail.com
Thu Feb 19 08:33:11 PST 2015


I've been tinkering with the scan detection in Bro (2.3.2) and I was
wondering if this was the most effective method for whitelisting hosts:

const scanners_whitelist {
    x.x.x.x
    };

hook Notice::policy(n: Notice::Info)
  {
  if ( n$note == Scan::Port_Scan && n?$src && (n$src in scanners_whitelist)
)
    {
    print n$src;
    delete n$actions[Notice::ACTION_LOG];
    };
  }


Please let me know if there's a better/more efficient method. Thanks!

Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150219/fc367c9b/attachment.html 


More information about the Bro mailing list