I have an install using 8 nodes and a master on a single host. I’m monitoring ~2,000 hosts across a split core and would like to add a global ignore for a handfull of noisy hosts.
What’s the best approach to handle this?
Thanks in advance
Unfortunately it's kind of messy right now due to implementation issues in the packet filter framework, but here it goes (it will be fixed in 2.2 probably, I didn't get the rewrite ready for 2.1)…
redef PacketFilter::all_packets = F;
redef capture_filters = [[ "all"] = "ip or not ip"];
redef restrict_filters += [ ["not-high-volume-hosts"] = "not host 192.168.1.100 and not host 192.168.2.100"];
You can just set the restrict filter to whatever you want and put that in local.bro.
.Seth
Thanks Seth
I'll try to wrap my head around that and make it work.
-j
Sorry about the complicated-ness of it, this was a particular pain point for the 2.0 release and will continue to be for the 2.1 release it looks like. This task will be extremely easy to do and understand once my packet filter framework changes are merged in. Keep the questions coming!
.Seth
-j