[Bro] Email Notice Suppression
Jan Grashofer
jan.grashofer at cern.ch
Tue Sep 1 02:03:44 PDT 2015
Hi Scotty,
have a look at automated suppression and the Notice::policy hook (https://www.bro.org/sphinx-git/frameworks/notice.html#automated-suppression and https://www.bro.org/sphinx-git/frameworks/notice.html#extending-notice-framework).
If you use the do_notice script that comes with Bro, you want to add an identifier to the notice, to get automated suppression.
Best regards,
Jan
________________________________________
From: bro-bounces at bro.org [bro-bounces at bro.org] on behalf of Scotty Brown [scotty.b.brown at gmail.com]
Sent: Tuesday, September 01, 2015 01:45
To: bro at bro.org
Subject: [Bro] Email Notice Suppression
Hi All,
I'm running bro 2.4 and have just added a bunch of critical stack intel
feeds. All is working well.
One of the feeds I have is a list of TOR ips, and once I set notices to
true for the critical stack intel I start getting emails (I've set up
email alerting for notices).
What I would like to do is suppress email alerts for a particular notice
from a particular src host.
ie (intel.log):
1441063489.889373 CEyDP6zbg6ngOFFa 10.10.10.10 45969
213.163.70.234 443 - - - 213.163.70.234
Intel::ADDR Conn::IN_RESP sensor-eth1-1 from
https://www.dan.me.uk/torlist/ via intel.criticalstack.com
So any notice that fires from src 10.10.10.10 for the torlist intel -
I'd still like to see the notice in the intel file - but not get the
email alert.
Any pointers?
Cheers,
Scotty
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list