[Bro] General Whitelisting IP's or Domains
Azoff, Justin S
jazoff at illinois.edu
Thu Nov 29 09:29:46 PST 2018
> Is there a generic way to whitelist certain IP's/Subets or Domains in local.bro for the whole Bro configuration as not to produce logs and or notices.
>
> For e.g whitelist 8.8.8.8 or google.com ?
It depends.. if you wanted to ignore ALL traffic to 8.8.8.8 you could add this:
redef restrict_filters += [ ["not-google-dns"] = "not (host 8.8.8.8)" ];
Ignoring a 'google.com' is possible as well, but a little more involved since it
could appear in dns, ssl, or http logs. Is there a particular kind of log that
you are seeing domains in that you want to ignore, or all of the above?
--
- Justin
More information about the Bro
mailing list