Hi,
Is there a generic way to whitelist certain IP’s/Subets or Domains in local.bro for the whole Bro configuration as not to produce logs and or notices.
For e.g whitelist 8.8.8.8 or google.com ?
Thanks in advanced,
Alex Kefallonitis
Is there a generic way to whitelist certain IP's/Subets or Domains in local.bro for the whole Bro configuration as not to produce logs and or notices.
For e.g whitelist 8.8.8.8 or google.com ?
It depends.. if you wanted to ignore ALL traffic to 8.8.8.8 you could add this:
redef restrict_filters += [ ["not-google-dns"] = "not (host 8.8.8.8)" ];
Ignoring a 'google.com' is possible as well, but a little more involved since it
could appear in dns, ssl, or http logs. Is there a particular kind of log that
you are seeing domains in that you want to ignore, or all of the above?
Hi and thanks for the response
I want to be able to apply the whitelist in all of the above as generic solution when something is spamming or hits as false positive. So is there any generic solution ?
Thanks in advanced,
Alex Kefallonitis
Στις Πέμ, 29 Νοε 2018 στις 7:30 μ.μ., ο/η Azoff, Justin S <jazoff@illinois.edu> έγραψε:
So i cannot find any other way for generic whitelisting i am not so sure how dns could work. Any suggestions ?
Στις Πέμ, 29 Νοε 2018 στις 7:34 μ.μ., ο/η Alex Kefallonitis <al.kefallonitis@gmail.com> έγραψε: