[Bro] Disabling an analyzer in weird

Shane Filus filus at psc.edu
Fri Mar 10 13:45:11 PST 2017

On 3/10/17 4:22 PM, James Lay wrote:
> Thanks Jan,
> I got this to fly with disabling the analyzer, but as I look at the
> weird.log there are several items I'd like to filter out.  For example:
> dns_unmatched_msg
> inappropriate_FIN
Hi James,

Specifically to weird logging, you can redef individual messages:

    redef Weird::actions["dns_unmatched_msg"] = Weird::ACTION_IGNORE;
    redef Weird::actions["dns_unmatched_reply"] = Weird::ACTION_IGNORE;


Re-reading, didn't realize there were more actions than IGNORE(and LOG).



More information about the Bro mailing list