Ignoring hosts or ranges?

relevant_username · March 6, 2012, 3:23pm

I was wondering what the best way to ignore certain hosts or ranges would be. I found some documentation from 2004 on this, but it doesn’t look like it’s applicable any more.

The reason for this is that we’re working to extract certain data from the connection log but our network scanners are creating a lot of entries in conn.log that we don’t care about. We can of course filter this all out after it’s in the log, but for the sake of simplicity I was hoping there would be a way to do this in bro.

Thanks!

Azoff_Justin · March 6, 2012, 4:07pm

Give something like this a try:

redef PacketFilter::all_packets = F; # don't capture all packets

redef capture_filters = [[ "all"] = "ip or not ip"];
redef restrict_filters += [ ["not-scanners"] = "not host 192.168.1.100 and not host 192.168.2.100"];

Seth_Hall3 · March 6, 2012, 4:18pm

Thanks for that reply Justin! I was in the middle of writing exactly the same thing. Just for the record I want to point out that this (incredibly common!) scenario is being made much easier for 2.1.

.Seth

Topic		Replies	Views
Global IP host ignore Zeek	5	92	May 6, 2022
Bro Digest, Vol 113, Issue 31 Zeek	2	63	May 6, 2022
Exclude IPS Zeek	4	72	May 6, 2022
Exclude IPS Zeek	4	115	May 6, 2022
Completely ignore Hosts and Network ranges from all checks Zeek	2	249	May 6, 2022

Ignoring hosts or ranges?

Related topics