[Bro] filtering types from http-ext-outbound.log
seth at remor.com
Fri Aug 6 06:35:36 PDT 2010
On Aug 6, 2010, at 9:14 AM, Ewald Beekman wrote:
> How can i filter out those url's so they don't end up into this
> logfile, or if that's complicated, how can i limit logging into
> this file to only contain "application/x-dosexec" downloads?
You have two choices, you can handle the http_ext event yourself and do logging however you want (check out logging.http-ext.bro for an example), or you can do the following after you load the logging.http-ext.bro script.
redef HTTP::logging = None; # Other options are Inbound, Outbound, and the default All
It still logs requests matching file types you want logged because the http-ext-identified-files.bro script forces identified files to be logged. All of the options for HTTP logging through the http-ext.bro script are documented at the top of the logging.http-ext.bro script. Options for identifying files you want to log can be found at the top of the http-ext-identified-files.bro script.
I hadn't considered doing a negative filter for logs, but that is certainly something I could add to my logging framework. My initial thought is that it would just be a regular expression for matching the full log line and if the regex matches the line, it wouldn't be logged.
More information about the Bro