[Bro] filtering types from http-ext-outbound.log
E.H.Beekman at amc.nl
Fri Aug 6 07:17:21 PDT 2010
Thanks for the quick reply.
If i use the redef in my local.bro config:
redef HTTP::logging = None;
http-ext-outbound.log stays empty, even when i download some executables
Next i removed the redef from my local.bro config
and tried to change ignored_urls from the file
const ignored_urls = /^http:\/\/(au\.|www\.)?download\.windowsupdate\.com\/msdownload\/update/ &redef;
const ignored_urls = /^http:\/\/.*\.(jpg|png|html|gif|htm)$/ &redef;
But that doesn't stop those from being logged :-(
thanks in advance,
On Fri, Aug 06, 2010 at 03:35:36PM CEST, Seth Hall wrote:
> On Aug 6, 2010, at 9:14 AM, Ewald Beekman wrote:
> > How can i filter out those url's so they don't end up into this
> > logfile, or if that's complicated, how can i limit logging into
> > this file to only contain "application/x-dosexec" downloads?
> You have two choices, you can handle the http_ext event yourself and do logging however you want (check out logging.http-ext.bro for an example), or you can do the following after you load the logging.http-ext.bro script.
> redef HTTP::logging = None; # Other options are Inbound, Outbound, and the default All
> It still logs requests matching file types you want logged because the http-ext-identified-files.bro script forces identified files to be logged. All of the options for HTTP logging through the http-ext.bro script are documented at the top of the logging.http-ext.bro script. Options for identifying files you want to log can be found at the top of the http-ext-identified-files.bro script.
> I hadn't considered doing a negative filter for logs, but that is certainly something I could add to my logging framework. My initial thought is that it would just be a regular expression for matching the full log line and if the regex matches the line, it wouldn't be logged.
Ewald Beekman, CISSP. Academic Medical Center, NL
More information about the Bro