[Bro] Event Suppression

Justin Azoff JAzoff at albany.edu
Mon Dec 3 15:29:25 PST 2012

On Mon, Dec 03, 2012 at 06:03:27PM -0500, Chris Crawford wrote:
> I'd like to tell bro to tell me about a certain event, but then suppress itself
> for a while.
> I am running bro version 2.1.
> I think I'm on the right track, but I'm not getting the results I expect.
> Here's my script:
>                                 NOTICE([$note=DNS_SERV_FAIL, $msg=fmt("Check
> out %s. It failed to resolve%s.", rec$id$orig_h, rec$query), $suppress_for=
> 10sec, $identifier=cat(rec$query)]);
> I expect that after seeing a certain DNS query in my log, there should be, at a
> minimum, a 10 second delay until the next entry.

the suppress_for there only applies to NOTICE.  If you look at your
notice.log you'll see the behavior you expect.

If you want the regular log to have the same behavior you can implement
the supression yourself..

You just need to create something like

    seen_domains: set[string] &create_expire=10sec &synchronized;

then use something like this in your 'pred'

    if(rec$query !in seen_domains) {
        add seen_domains[rec$query];
        return T;
    } else {
        return F;

or maybe cleaner as

    if(rec$query in seen_domains)
        return F;

    add seen_domains[rec$query];
    return T;

-- Justin Azoff
-- Network Security & Performance Analyst

More information about the Bro mailing list