[Bro] ignoring all weird?
Tim Rupp
tarupp at fnal.gov
Thu Apr 1 11:40:59 PDT 2010
On 03/31/2010 11:47 AM, Robin Sommer wrote:
>
> On Wed, Mar 31, 2010 at 08:53 -0500, Tim Rupp wrote:
>
>> I was hoping it'd be that easy, but now the weird messages (content gap,
>> ack above a hole, etc) are going to stdout as well as the weird log.
>
> I don't think we currently have a way to generally suppress all
> weird messages, just individually per your earlier mail. It is
> however posssible to remove them from notice.log by mapping
> corresponding notice types to NOTICE_IGNORE.
>
> Justin's solution is almost doing that but it just suppresses the
> notice_action_event, not the actual reporting (that event is used
> mostly internally). Use either notice_policy or
> notice_action_filters instead.
>
> Robin
>
One of my co-workers pointed out that, while it may be a poor
workaround, I can kinda get the functionality I was looking for by doing the
redef notice_action_filters += {
[[Weird::WeirdActivity,
Weird::ContentGap,
Weird::RetransmissionInconsistency,
Weird::AckAboveHole]] = ignore_notice
};
and then redef'ing the weird file to /dev/null
redef Weird::weird_file = open_log_file("/dev/null");
Weird messages go away, but I wonder if this would cause chaos with many
bros trying to open /dev/null concurrently to write the weird log.
Maybe I'll just rotate my weird log more frequently.
Thanks for the pointers!
-Tim
More information about the Bro
mailing list