[Bro] General Whitelisting IP's or Domains

Azoff, Justin S jazoff at illinois.edu
Thu Nov 29 09:29:46 PST 2018

> Is there a generic way to whitelist certain IP's/Subets or Domains in local.bro for the whole Bro configuration as not to produce logs and or notices.
> For e.g whitelist or  google.com ?

It depends.. if you wanted to ignore ALL traffic to you could add this:

    redef restrict_filters += [ ["not-google-dns"] = "not (host" ];

Ignoring a 'google.com' is possible as well, but a little more involved since it
could appear in dns, ssl, or http logs.  Is there a particular kind of log that
you are seeing domains in that you want to ignore, or all of the above?

- Justin

More information about the Bro mailing list