[Bro] General Whitelisting IP's or Domains
Azoff, Justin S
jazoff at illinois.edu
Thu Nov 29 09:29:46 PST 2018
> Is there a generic way to whitelist certain IP's/Subets or Domains in local.bro for the whole Bro configuration as not to produce logs and or notices.
> For e.g whitelist 18.104.22.168 or google.com ?
It depends.. if you wanted to ignore ALL traffic to 22.214.171.124 you could add this:
redef restrict_filters += [ ["not-google-dns"] = "not (host 126.96.36.199)" ];
Ignoring a 'google.com' is possible as well, but a little more involved since it
could appear in dns, ssl, or http logs. Is there a particular kind of log that
you are seeing domains in that you want to ignore, or all of the above?
More information about the Bro