[Bro] General Whitelisting IP's or Domains

Azoff, Justin S jazoff at illinois.edu
Thu Nov 29 09:29:46 PST 2018


> Is there a generic way to whitelist certain IP's/Subets or Domains in local.bro for the whole Bro configuration as not to produce logs and or notices.
> 
> For e.g whitelist 8.8.8.8 or  google.com ?

It depends.. if you wanted to ignore ALL traffic to 8.8.8.8 you could add this:

    redef restrict_filters += [ ["not-google-dns"] = "not (host 8.8.8.8)" ];

Ignoring a 'google.com' is possible as well, but a little more involved since it
could appear in dns, ssl, or http logs.  Is there a particular kind of log that
you are seeing domains in that you want to ignore, or all of the above?

-- 
- Justin


More information about the Bro mailing list