[Bro] Creating multiple notice logs

Dave Crawford bro at pingtrip.com
Fri May 13 12:08:15 PDT 2016


Thanks Justin,

The add_filter option you mentioned is probably the better route. I’m just looking to move "PacketFilter::Dropped_Packets” notices to a separate log.

> On May 13, 2016, at 11:00 AM, Azoff, Justin S <jazoff at illinois.edu> wrote:
> 
> 
> > On May 13, 2016, at 10:44 AM, Dave Crawford <bro at pingtrip.com> wrote:
> > 
> > Does anyone have an example of diverting specific notices to a new log file?
> > 
> > Is the right approach to hook "Notice::policy" (with priority), Log:write to the new log stream and then 'break' from the hook?
> > 
> > -Dave  
> 
> Yes.. you're on the right track.  As it turns out I have a script that does exactly that.
> 
> 
> 
> The input file is so I can have a file with rows like
> 
> #fields ip      note    reason  timestamp
> 1.2.3.4   TeamCymruMalwareHashRegistry::Match     test box        1445362562
> 
> 
> 
> The key thing that my script does is
> 
>     n$actions = set();
> 
> If you just wanted to move some notices to a different log file you could accomplish that much easier by using Log::add_filter with a path_func.
> 
> 
> 
> -- 
> - Justin Azoff
> 
> <ignore-notices.bro>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160513/ce74bf58/attachment.html 


More information about the Bro mailing list