[Bro] bro_log_file and log_hook
Chris Alexander
chris at moose.ca
Fri Apr 28 11:43:54 PDT 2006
On Fri, 28 Apr 2006, Robin Sommer wrote:
>
> The former "log_hook" is now called "alarm_hook". Here's an example:
>
Thanks, Robin. Very helpful.
I've got something working but...
weird.bro gets @load'ed and I end up with lots of weird messages sprayed
to the screen.
How do I turn this off via alarm_hook?
My messages (print via alarm()) work fine but the weird stuff is still
spraying. Probably a tidbit I'm missing?
Here's what I've got...ignore whether what is printed makes sense -
just playing/learning the lingo.
function alarm_hook(msg: string): bool
{
print msg;
return F;
}
event connection_established(c: connection)
{
local id = c$id;
local service = id$resp_p;
local inbound = is_local_addr(id$resp_h);
if ( id$resp_h in mail_servers )
{
if ( inbound && [ id$resp_h, service ] !in allowed_mail_services )
{
alarm fmt("out of scope (mail) : %s", full_id_string(c));
}
}
}
The output looks kinda like:
1146059131.898819 weird: spontaneous_RST
1146059132.021314 weird: spontaneous_RST
1146059132.942845 weird: unsolicited_SYN_response
1146059132.945050 weird: unsolicited_SYN_response
1146059132.947408 weird: unsolicited_SYN_response
1146059132.949907 weird: unsolicited_SYN_response
out of scope (mail) : 142.92.39.44 ?b ?>? 142.92.39.129/ssh ?b 0.0s
1146059132.952414 weird: unsolicited_SYN_response
1146059132.963438 weird: unsolicited_SYN_response
1146059132.966381 weird: unsolicited_SYN_response
1146059133.277703 weird: connection_originator_SYN_ack
1146059133.313146 weird: data_before_established
1146059133.315934 weird: possible_split_routing
with bazillions of weird stderr output. How to eliminate the weird stuff?
TIA!
--
http://moose.ca
More information about the Bro
mailing list