[Bro] Exclude S0 connections from conn.log?

Jan Grashöfer jan.grashoefer at gmail.com
Mon Jul 17 01:40:35 PDT 2017

Hi Mike,

> Basically what I'd like to achieve is for the script to not log any events
> with a conn_state of S0 if the originating node is not in my local
> networks.
> If someone could give me some guidance on how to achieve this I'd be
> forever grateful.

you can use a filter (e.g., change the default one):

There is also a blog post
(http://blog.bro.org/2012/02/filtering-logs-with-bro.html) with a couple
of examples as well as scripts available on github (e.g.,


More information about the Bro mailing list