[Bro] Bro restrict filters question
Azoff, Justin S
jazoff at illinois.edu
Tue Jun 13 08:12:41 PDT 2017
> On Jun 13, 2017, at 10:59 AM, Edgmand, Craig <craig.edgmand at okstate.edu> wrote:
>
> Hello,
>
> I am running Bro 2.5 and I am trying to set up some restrict_filters to drop certain hosts and types of traffic.
> I have the following entries in my local.bro..
>
> redef PacketFilter::enable_auto_protocol_capture_filters = F;
> redef capture_filters = { ["packets-like-this"] = "ip or not ip" };
> redef restrict_filters = { ["no-data-like-this"] = "not host 192.168.2.1" };
>
>
> I had something similar in earlier versions of Bro that seemed to work but this doesn’t work at all.
>
> When I run ./broctl print restrict_filters it shows that the workers have that filter.
>
> Any ideas?
Is your traffic vlan tagged? You may need to use
redef restrict_filters = { ["no-data-like-this"] = "vlan and not host 192.168.2.1" };
--
- Justin Azoff
More information about the Bro
mailing list