Hello all,

I am running Bro 2.1 in Security Onion 12.04 and I am very happy with it. This
level of detail into what is happening on the network is just amazing! I'm
beginning to wonder how I ever did without it for so long.

I have an ssh that happens every 5 minutes which causes a lot of noise.

I've gone through all of the docs on bro.org and done some googling but can't
seem to figure out how to whitelist certain connections so they will not
constantly appear in the bro alarm summaries. I did find this, which contains
an example for watching ssh to particular hosts which seems related to what I
am trying to do:


But what I want is somewhat the opposite: I want to ignore/whitelist
connections to certain hosts, preferably from certain IP addresses.

Can anyone suggest how this would be done?

And while I'm writing (and related to another example in the above URL) I get
alarms about SSL certs. I would like to add our in-house CA to the list of
accepted certs. How can I do this?

Thanks for a great tool!

Hi Tracy

Have you looked at this, http://code.google.com/p/security-onion/wiki/BPF


Also, the Bro scripting language is very accessible once you learn its syntax. Check out a great repository at https://github.com/bro/ - especially see the "cheat sheet" link there. With this you can roll you own mods without too much trouble. Jump in!