[Bro] bro_log_file and log_hook

Chris Alexander chris at moose.ca
Fri Apr 28 11:43:54 PDT 2006

On Fri, 28 Apr 2006, Robin Sommer wrote:

> The former "log_hook" is now called "alarm_hook". Here's an example:

Thanks, Robin. Very helpful.

I've got something working but...

weird.bro gets @load'ed and I end up with lots of weird messages sprayed 
to the screen.

How do I turn this off via alarm_hook?

My messages (print via alarm()) work fine but the weird stuff is still 
spraying. Probably a tidbit I'm missing?

Here's what I've got...ignore whether what is printed makes sense - 
just playing/learning the lingo.

function alarm_hook(msg: string): bool
     print msg;
     return F;

event connection_established(c: connection)
     local id = c$id;
     local service = id$resp_p;
     local inbound = is_local_addr(id$resp_h);

     if ( id$resp_h in mail_servers )

         if ( inbound && [ id$resp_h, service ] !in allowed_mail_services )
             alarm fmt("out of scope (mail) : %s", full_id_string(c));

The output looks kinda like:

1146059131.898819 weird: spontaneous_RST
1146059132.021314 weird: spontaneous_RST
1146059132.942845 weird: unsolicited_SYN_response
1146059132.945050 weird: unsolicited_SYN_response
1146059132.947408 weird: unsolicited_SYN_response
1146059132.949907 weird: unsolicited_SYN_response
out of scope (mail) : ?b ?>? ?b 0.0s
1146059132.952414 weird: unsolicited_SYN_response
1146059132.963438 weird: unsolicited_SYN_response
1146059132.966381 weird: unsolicited_SYN_response
1146059133.277703 weird: connection_originator_SYN_ack
1146059133.313146 weird: data_before_established
1146059133.315934 weird: possible_split_routing

with bazillions of weird stderr output. How to eliminate the weird stuff?



More information about the Bro mailing list