Ignoring hosts or ranges?

relevant_username · March 6, 2012, 3:23pm

I was wondering what the best way to ignore certain hosts or ranges would be. I found some documentation from 2004 on this, but it doesn’t look like it’s applicable any more.

The reason for this is that we’re working to extract certain data from the connection log but our network scanners are creating a lot of entries in conn.log that we don’t care about. We can of course filter this all out after it’s in the log, but for the sake of simplicity I was hoping there would be a way to do this in bro.

Thanks!

Azoff_Justin · March 6, 2012, 4:07pm

Give something like this a try:

redef PacketFilter::all_packets = F; # don't capture all packets

redef capture_filters = [[ "all"] = "ip or not ip"];
redef restrict_filters += [ ["not-scanners"] = "not host 192.168.1.100 and not host 192.168.2.100"];

Seth_Hall3 · March 6, 2012, 4:18pm

Thanks for that reply Justin! I was in the middle of writing exactly the same thing. Just for the record I want to point out that this (incredibly common!) scenario is being made much easier for 2.1.

.Seth

Topic		Replies	Views
Global IP host ignore Zeek	5	75	May 6, 2022
Problem changing restrict_filters Zeek	2	62	May 6, 2022
Filtering help Zeek	11	653	May 6, 2022
Help，About Packet Filter Zeek	3	110	May 6, 2022
Issues with my DNS Filter	1	73	March 27, 2024

Ignoring hosts or ranges?

Related Topics