[Bro] filtering types from http-ext-outbound.log

Seth Hall seth at remor.com
Fri Aug 6 06:35:36 PDT 2010

On Aug 6, 2010, at 9:14 AM, Ewald Beekman wrote:

> How can i filter out those url's so they don't end up into this
> logfile, or if that's complicated, how can i limit logging into
> this file to only contain "application/x-dosexec" downloads?

You have two choices, you can handle the http_ext event yourself and do logging however you want (check out logging.http-ext.bro for an example), or you can do the following after you load the logging.http-ext.bro script.

redef HTTP::logging = None; # Other options are Inbound, Outbound, and the default All

It still logs requests matching file types you want logged because the http-ext-identified-files.bro script forces identified files to be logged.  All of the options for HTTP logging through the http-ext.bro script are documented at the top of the logging.http-ext.bro script.  Options for identifying files you want to log can be found at the top of the http-ext-identified-files.bro script.

I hadn't considered doing a negative filter for logs, but that is certainly something I could add to my logging framework.  My initial thought is that it would just be a regular expression for matching the full log line and if the regex matches the line, it wouldn't be logged.


More information about the Bro mailing list