HI
I used to filter ip by adding this command to local.bro
redef restrict_filters = { [“not-hosts”] = “not host X.X.X.X” };
but now I want to filter out only src_ip(in bro id.orig_h)
I tried
redef restrict_filters = { [“not-nets”] = “not src net X.X.X.X” };
redef restrict_filters = { [“not-nets”] = “!src net X.X.X.X” };
redef restrict_filters = { [“not-nets”] = “not(src net X.X.X.X)” };
but it does not filter a ip I want from src_ip
it there a way to filter out only a src_ip?
Thank you
Are you sure you really want to filter a src address? Because Bro typically needs full duplex traffic to work correctly, it rarely makes sense to filter with a src or dst.
Do you also have multiple “redef restrict_filters” line as you showed? You are doing full value assignment by using “=“ instead of extending the table with “+=“ which will definitely cause you trouble if that’s happening.
.Seth
src_ip I want to filter out is a ‘proxy web server ip’. I want to watch only local net work log.
There is to much proxy_src_ip log that we do not need, other reason is to reduce log amount
(I am getting live traffic by mirror which our customer is doing, so I do not have any choice)
I did not write multiple “redef restrict_filters” line. I ran one line at a time.
Thank you
I believe you’re over-thinking this. Just remove the “src” from your expressions. Try something like this…
redef restrict_filters += {
["not-nets"] = "not net 1.2.3.0/24”
};
.Seth