[Bro] Tuning Bro

Miller, Brad L BLMILLER at comerica.com
Wed Oct 19 06:11:39 PDT 2016


I personally used a bro script much like example 3 in this link:  http://blog.bro.org/2012/02/filtering-logs-with-bro.html

You define what are “local” zones to and then splits the dns.log into dns_localzone.log (your items) and dns_remotezone.log (anything not defined).  You can then process/query the remotezone log as you would with a dns.log and discard the localzone log if you wish.  I would encourage you to keep that localzone log though, it’s a great resource.


Brad Miller

From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of sec-x sec-x
Sent: Wednesday, October 19, 2016 5:04 AM
To: bro at bro.org
Subject: [Bro] Tuning Bro

Hi,
Recently I install bro ids instance on my network.
I want to filter out all internal dns messages from dns.log.
I need an explanation how i configure this and where.
Thanks,
CM.


Please be aware that if you reply directly to this particular message, your reply may not be secure. Do not use email to send us communications that contain unencrypted confidential information such as passwords, account numbers or Social Security numbers. If you must provide this type of information, please visit comerica.com to submit a secure form using any of the ”Contact Us” forms. In addition, you should not send via email any inquiry or request that may be time sensitive. The information in this e-mail is confidential. It is intended for the individual or entity to whom it is addressed. If you have received this email in error, please destroy or delete the message and advise the sender of the error by return email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161019/8f36a4bf/attachment.html 


More information about the Bro mailing list