[Bro] filtering types from http-ext-outbound.log

Ewald Beekman E.H.Beekman at amc.nl
Fri Aug 6 07:17:21 PDT 2010 

Hi Seth,

Thanks for the quick reply.

If i use the redef in my local.bro config:

@load all-ext.bro
redef HTTP::logging = None;

http-ext-outbound.log stays empty, even when i download some executables
myself.

Next i removed the redef from my local.bro config
and tried to change ignored_urls from the file
http-ext-identified-files.bro

from: 

const ignored_urls = /^http:\/\/(au\.|www\.)?download\.windowsupdate\.com\/msdownload\/update/ &redef;

in:

const ignored_urls = /^http:\/\/.*\.(jpg|png|html|gif|htm)$/ &redef;

But that doesn't stop those from being logged :-(

thanks in advance,

Ewald...

On Fri, Aug 06, 2010 at 03:35:36PM CEST, Seth Hall wrote:
> 
> On Aug 6, 2010, at 9:14 AM, Ewald Beekman wrote:
> 
> > How can i filter out those url's so they don't end up into this
> > logfile, or if that's complicated, how can i limit logging into
> > this file to only contain "application/x-dosexec" downloads?
> 
> You have two choices, you can handle the http_ext event yourself and do logging however you want (check out logging.http-ext.bro for an example), or you can do the following after you load the logging.http-ext.bro script.
> 
> redef HTTP::logging = None; # Other options are Inbound, Outbound, and the default All
> 
> It still logs requests matching file types you want logged because the http-ext-identified-files.bro script forces identified files to be logged.  All of the options for HTTP logging through the http-ext.bro script are documented at the top of the logging.http-ext.bro script.  Options for identifying files you want to log can be found at the top of the http-ext-identified-files.bro script.
> 
> I hadn't considered doing a negative filter for logs, but that is certainly something I could add to my logging framework.  My initial thought is that it would just be a regular expression for matching the full log line and if the regex matches the line, it wouldn't be logged.
> 
>   .Seth
> 
--
Ewald Beekman, CISSP. Academic Medical Center, NL

More information about the Bro mailing list