[Bro] Converting a Bro Script to A New Stream

Seth Hall seth at icir.org
Mon Aug 27 22:41:10 PDT 2012


On Aug 28, 2012, at 12:14 AM, Mike Sconzo <sconzo at visiblerisk.com> wrote:

> I've got a general question around this idea. When is it best to
> create a log filter vs. creating a log file with just the information
> you want in it vs. adding an additional field to a existing log?


In this case, the log being created was a strict subset of the existing log.  I definitely wouldn't bother creating a completely new log just to restrict the output columns since we have that supported as a feature of the logging framework.

I guess in most cases where you are just going to end up outputting all of the same fields from an existing log I wouldn't bother creating a new log stream.  There are some cases where it just comes down to a style decision if you are adding extra fields but you are also including several fields from an existing log whether or not you create a new log stream.

A good rule of thumb is if your first thought is to handle a log stream event (i.e. DNS::log_dns, HTTP::log_http, etc) to fill out your log file, you should probably use a filter.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/





More information about the Bro mailing list