I would like to redef my SSH::ignore_guessers to exclude hosts that I know will be consistently triggering the SSH::Password_Guessing alert due to legitimate business processes. I’ve tried the following (10.0.0.2 is the host performing the scanning in this example):
in my local.bro, did a broctl check/broctl install/broctl restart, but I still receive alerts. I am assuming that the key-value format I am trying to use is incorrect, but the code only states:
How does one set SSH:ignore_guessers like I am trying to do?