[
https://bro-tracker.atlassian.net/browse/BIT-1478?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22107#comment-22107
]
Johanna Amann commented on BIT-1478:
------------------------------------
Since this is not really a bug, but a question, the mailing list or irc are
probably better suited for this question.
That being said, you can add bpf filters with the syntax described in
https://www.bro.org/sphinx/scripts/base/frameworks/packet-filter/main.bro.html
. The thread at
http://comments.gmane.org/gmane.comp.security.detection.bro/4759 also has a few
examples. There is no easy way to tell Bro to just allow traffic containing
x509 certificates - you have to build the filter yourself, only allowing the
hosts and services that have traffic containing x509 certificates. If using
broctl, typically you would add the filter commands to local.bro or to a script
that you load from local.bro -- it is discouraged to edit any scripts in base/
or policy/ yourself.
I will close this bug - like I said, if you have more questions the mailing
list / irc chat will probably give you more replies.
> BPF Filter for local.bro per activated log file
> -----------------------------------------------
>
> Key: BIT-1478
> URL: https://bro-tracker.atlassian.net/browse/BIT-1478
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.3, 2.4
> Environment: linux, mac osx,
> Reporter: Lu Goon
> Labels: analyzer,, ssl,, x509
>
> when activating the x509.log or bro script in local.bro, can I configure a
> BPF filter to only affect x509? For example I only want to have events that
> the dust_host is our DMZ subnet. Can I configure that in the x509.bro file or
> some other bro configuration file?
--
This message was sent by Atlassian JIRA
(v7.0.0-OD-05-005#70102)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
