[Bro] Disabling an analyzer in weird
jlay at slave-tothe-box.net
Fri Mar 10 13:22:49 PST 2017
I got this to fly with disabling the analyzer, but as I look at the
weird.log there are several items I'd like to filter out. For example:
and others. I've looked at the code snippet as shown below:
function http_only(rec: Conn::Info) : bool
# Record only connections with successfully analyzed HTTP traffic
return rec?$service && rec$service == "http";
local filter: Log::Filter = [$name="http-only", $path="conn-http",
and, as usual when I stare at bro code snippets, I'm completely lost. I
get that the above creates a new log and only http from conn.log, but I
have no idea how to tweak this to filter out things from weird.log.
I've looked at:
I see a lot of these are about splitting into new logs or filtering out
fields...none of which I want to do. Any additional guidance on
negating entries from logs would be excellent. Thank you...bro always
makes me feel stupid 8-/
On 2017-03-10 12:30, Jan Grashöfer wrote:
>> Thanks Jan. So I did more digging...this used to work in 2.4.1:
>> But now no longer...I guess I don't want to see binpac exceptions in
>> weird. Any folks have any thoughts on this? Thank you.
> So if disabling the syslog analyzer completely is ok for you that should
> just work fine with 2.5. Do you see any errors?
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro