I would like to redef my SSH::ignore_guessers to exclude hosts that I know will be consistently triggering the SSH::Password_Guessing alert due to legitimate business processes. I’ve tried the following ( is the host performing the scanning in this example):

redef SSH::ignore_guessers += {
[] =,
[] =,

in my local.bro, did a broctl check/broctl install/broctl restart, but I still receive alerts. I am assuming that the key-value format I am trying to use is incorrect, but the code only states:

The index represents client subnets and the yield value represents server subnets.

How does one set SSH:ignore_guessers like I am trying to do?