[Bro] Question: using Log Filter Framework

Azoff, Justin S jazoff at illinois.edu
Tue Aug 29 11:14:38 PDT 2017


> On Aug 29, 2017, at 1:54 PM, James Dickenson <jdickenson at gmail.com> wrote:
> 
> Hey All,
> 
> Hey I've been trying to use the log filter framework to filter out
> various things like certain IP ranges and other records.  Here is my
> attempt but Bro is complaining about line 8 saying my syntax isn't
> correct.   Does anyone know what I'm doing wrong?  I've been using
> Seth's blog post on the framework as an example of how to build the
> log filters.  --->
> http://blog.bro.org/2012/02/filtering-logs-with-bro.html
> 
> 
> Thanks in advance!
> 
> -James D.
> 
> 
> ###### code #######
> 
> global filter_ip_set: subnet = 1.0.0.0/8 &redef;
> 
> event bro_init()
>        {
>        Log::remove_default_filter(HTTP::LOG);
>        Log::add_filter(HTTP::LOG, [$name="orig_h_filter",
>                                    $pred(rec: HTTP::Info) = {
>                                    rec$id$orig_h in $filter_ip_set;
>                                    } ]);
>        Log::add_filter(HTTP::LOG, [$name="resp_h_filter",
>                                    $pred(rec: HTTP::Info) = {
>                                    rec$id$resp_h in $filter_ip_set;
>                                    } ]);
>        }
> 
> #########################
> 
> ###### error ########
> error in **snip*** test.bro, line 8: syntax error, at or near ";"

That just has 2 small issues:

$filter_ip_set should be filter_ip_set and the pred function needs to return a boolean, so:

       Log::add_filter(HTTP::LOG, [$name="orig_h_filter",
                                   $pred(rec: HTTP::Info) = {
                                   return rec$id$orig_h in filter_ip_set;
                                   } ]);

Personally I'd format that sort of thing like

    Log::add_filter(HTTP::LOG, [
        $name="orig_h_filter",
        $pred(rec: HTTP::Info) = {
            return rec$id$orig_h in filter_ip_set;
        }
    ]);

Also, not sure if that is just an example, but you'd probably want something like

    Log::add_filter(HTTP::LOG, [
        $name="host_filter",
        $pred(rec: HTTP::Info) = {
            return rec$id$orig_h in filter_ip_set || rec$id$resp_h in filter_ip_set;
        }
    ]);


Finally.. if you are doing more complicated things in the pred function splitting the statement up can help readability.

function interesting_connections(rec: HTTP::Info): bool
{
    return rec$id$orig_h in filter_ip_set || rec$id$resp_h in filter_ip_set;
}

event bro_init()
{
    local filter: Log::Filter = [$name="host_filter", $pred=interesting_connections];
    Log::add_filter(HTTP::LOG, filter);
}




-- 
- Justin Azoff



More information about the Bro mailing list