[Bro] Notice suppression in beta

Siwek, Jonathan Luke jsiwek at illinois.edu
Thu Nov 7 12:34:26 PST 2013

On Nov 7, 2013, at 12:10 PM, Lou RUPPERT <himself at louruppert.com> wrote:

> But still I see notices coming through with IPs in the netblocks
> listed and with a note for SSL::Invalid_Server_Cert. Shouldn't a break
> issued from a hook with a greater priority than the default process
> prevent the notice from being logged?

There’s a priority 10 notice policy hook that configures some actions to take depending on the value of n$note, and by default it adds the logging action (to be performed later).

So either “break”ing from a hook with priority greater than 10 or “delete n$actions[Notice::ACTION_LOG]” from one with lower priority should prevent a notice from being logged.  The former would also prevent any email/alarm actions associated with the notice type.

- Jon

More information about the Bro mailing list