I would like to redef my SSH::ignore_guessers to exclude hosts that I know will be consistently triggering the SSH::Password_Guessing alert due to legitimate business processes. I’ve tried the following (10.0.0.2 is the host performing the scanning in this example):
redef SSH::ignore_guessers += {
[10.0.0.2/32] = 211.11.11.211/32,
[10.0.0.2/32] = 10.2.2.2/32,
};
in my local.bro, did a broctl check/broctl install/broctl restart, but I still receive alerts. I am assuming that the key-value format I am trying to use is incorrect, but the code only states:
The index represents client subnets and the yield value represents server subnets.
How does one set SSH:ignore_guessers like I am trying to do?
Thanks!
-Dave