[Bro] Disabling an analyzer in weird

James Lay jlay at slave-tothe-box.net
Fri Mar 10 13:22:49 PST 2017

Thanks Jan,

I got this to fly with disabling the analyzer, but as I look at the
weird.log there are several items I'd like to filter out.  For example:


and others.  I've looked at the code snippet as shown below:

function http_only(rec: Conn::Info) : bool
    # Record only connections with successfully analyzed HTTP traffic
    return rec?$service && rec$service == "http";

event bro_init()
    local filter: Log::Filter = [$name="http-only", $path="conn-http",
    Log::add_filter(Conn::LOG, filter);

and, as usual when I stare at bro code snippets, I'm completely lost.  I
get that the above creates a new log and only http from conn.log, but I
have no idea how to tweak this to filter out things from weird.log. 
I've looked at: 


I see a lot of these are about splitting into new logs or filtering out
fields...none of which I want to do.  Any additional guidance on
negating entries from logs would be excellent.  Thank you...bro always
makes me feel stupid 8-/ 


On 2017-03-10 12:30, Jan Grashöfer wrote: 

>> Thanks Jan.  So I did more digging...this used to work in 2.4.1:
>> http://mailman.icsi.berkeley.edu/pipermail/bro/2014-July/007178.html
>> But now no longer...I guess I don't want to see binpac exceptions in
>> weird.  Any folks have any thoughts on this?  Thank you.
> So if disabling the syslog analyzer completely is ok for you that should
> just work fine with 2.5. Do you see any errors?
> Jan
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170310/ee046aa9/attachment.html 

More information about the Bro mailing list