Hi,
I'm trying to configure a bridge-firewall with the bro IDS on it to
check web traffic (for example). But I've some troubles. Actually, if
I launch bro with the http rules, due to dependences I have to load
scan rules. And the scan rules try to connect some machines... But my
aim is to have an IDS without IP address, so without connection from
and to the bridge.
Due to that, bro give me a lot of warnings and is very long to
launch...
I try to modify the rules via my conf file but there are some kinds I
don't understand. For examples, if I change the "skip_scan_sources" to
an empty value after loading the scan rule (loading via http rule) ;
bro try to resolve address before changing the value. And if I put the
redef variable before loading the rule, Bro say me : "redef" used but
not previously defined"...
I think there are some fundamentals thinks I don't understand but I'll
try to.
If anybody have an idea about that or eventually a configuration file
to give me some ideas, It could be great !
Thanks & Regards,