Thanks Jan for your reply.
Actually I was trying with packet filter framework before, but I found it to let “exclude” traffic based on IP’s, but in my case is opposite, I want to “include” only and let traffic on my Blacklist IP’s through to Bro. On the other way, I want to tell Bro, if the incoming IP address is matching with the blacklist file, then capture that file and analyze it, otherwise ignore (or drop) it.
Correct me if I’m wrong.
I hope I can find the answer in this mailing list.
redef capture_filters += {
["one-host"] = "host 1.2.3.4",
["two-hosts"] = "host 5.6.7.8",
};
This will automatically give you a packet filter of:
“(host 1.2.3.4) or (host 5.6.7.8)”
To explain this a bit more, Bro will automatically use “ip or not ip” which is a fully open capture filter if you don’t provide a capture_filter which puts you in a position of filtering down from having everything open. If you provide your own capture filter(s), it will use those instead so you can build up the traffic you’re choosing to monitor.
.Seth