Exclude IPS

ioannis.psaroudakis · November 18, 2014, 5:06pm

Hi All,

I am running the latest version of Bro and I would like to exclude (not at all log) events from specific IPs.

Can someone provide me with a link/info on how to do this?

Thnx for your time.

Regards

Ioannis

McMahon_Kevin_J · November 18, 2014, 5:43pm

redef restrict_filters += [[“blockedIPs”] = “not net 192.168.1.0/24”];

I think you may need to also include: redef PacketFilter::all_packets = F; I have both of these statements in my config, but I put them in there a long time ago.

Grant_Stavely · November 18, 2014, 7:14pm

redef restrict_filters += [[“blockedIPs”] = “not net 192.168.1.0/24”];

I think you may need to also include: redef PacketFilter::all_packets = F; I have both of these statements in my config, but I put them in there a long time ago.

ioannis.psaroudakis · November 21, 2014, 11:23am

Hi Grant

Thanks for your answer.

I tested your proposal and it runs OK for Bro 2.3.1 running in Ubuntu 14.04 except for the “OR” operator.

I had to add the second IP to an additional filter line.

Regards,

Ioannis

Topic		Replies	Views
Exclude IPS Zeek	4	74	May 6, 2022
Exclude IPS - only src ip Zeek	4	92	May 6, 2022
Bro restrict filters question Zeek	4	118	May 6, 2022
Bro Digest, Vol 113, Issue 31 Zeek	2	63	May 6, 2022
Ignoring hosts or ranges? Zeek	3	80	May 6, 2022

Exclude IPS

Related topics