[Bro] Notice suppression in beta
Siwek, Jonathan Luke
jsiwek at illinois.edu
Thu Nov 7 12:34:26 PST 2013
On Nov 7, 2013, at 12:10 PM, Lou RUPPERT <himself at louruppert.com> wrote:
> But still I see notices coming through with IPs in the netblocks
> listed and with a note for SSL::Invalid_Server_Cert. Shouldn't a break
> issued from a hook with a greater priority than the default process
> prevent the notice from being logged?
There’s a priority 10 notice policy hook that configures some actions to take depending on the value of n$note, and by default it adds the logging action (to be performed later).
So either “break”ing from a hook with priority greater than 10 or “delete n$actions[Notice::ACTION_LOG]” from one with lower priority should prevent a notice from being logged. The former would also prevent any email/alarm actions associated with the notice type.
More information about the Bro