[Bro] Bro Digest, Vol 113, Issue 31

Seth Hall seth at icir.org
Sun Sep 20 19:04:41 PDT 2015


> On Sep 20, 2015, at 6:39 PM, Hashem Alaidaros <aidaros.dev at gmail.com> wrote:
> 
> Thanks Jan for your reply.
> Actually I was trying with packet filter framework before, but I found it to let "exclude" traffic based on IP's, but in my case is opposite, I want to "include" only and let traffic on my Blacklist IP's through to Bro. On the other way, I want to tell Bro, if the incoming IP address is matching with the blacklist file, then capture that file and analyze it, otherwise ignore (or drop) it. 
> Correct me if I'm wrong. 

redef capture_filters += {
	["one-host"] = "host 1.2.3.4",
	["two-hosts"] = "host 5.6.7.8",
};

This will automatically give you a packet filter of:
	“(host 1.2.3.4) or (host 5.6.7.8)”

To explain this a bit more, Bro will automatically use “ip or not ip” which is a fully open capture filter if you don’t provide a capture_filter which puts you in a position of filtering down from having everything open.  If you provide your own capture filter(s), it will use those instead so you can build up the traffic you’re choosing to monitor.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/




More information about the Bro mailing list