[Bro] Notice and Sumstats and how to whitelist IPs

[Azoff, Justin S]

> On Sep 6, 2018, at 4:02 PM, Dillon Murphy <DMurphy at lfcu.com> wrote:
> 
> Hey Justin,
>  
> I thought the same thing, but I rechecked the IP over and over again and it is correct. I’ve also added the whitelist to the script in many different ways, but still had no luck. I’ve been able to get this to work easily on all scripts that don’t load the sumstats framework. I’ve rewritten the scripts multiple times, tested them out in try.bro.org and my tool and nothing has worked to stop the notices. I’ve tried to break and return in functions and events, but that didn’t work.
>  
> I’ve even contacted our vendor for my tool who originally added some of the scripts and their head engineer has not been able to solve it yet. It seems to just keep continuing to keep track of the intervals and sends the data to the notice, even if the IP matches what’s in the white list. I’m no major bro scripting expert, but my vendors engineer is a well-known bro scripter, and if they had no luck, my chances are slim. 
>  
> It seems that it should be as easy as returning on any matching IP, but I guess not. I don’t know what I’m missing, and I’m running out of ideas.
>  
> If you have any questions, please let me know.
>  
> Thank you for looking at my post!
>  

Hard to tell what is wrong without seeing the scripts.

As you say it IS as easy as returning early from a function when an IP matches.

If you can share the complete script that is not working properly I can help you fix it :-)


— 
Justin Azoff