[Bro] ignoring all weird?

Tim Rupp tarupp at fnal.gov
Tue Mar 30 09:55:41 PDT 2010


Is there a convenient way that I can suppress all weird messages that
would otherwise bubble up to the weird log?

I've done this

redef notice_action_filters += {
        [[Weird::WeirdActivity,
          Weird::ContentGap,
          Weird::RetransmissionInconsistency,
          Weird::AckAboveHole]] = ignore_notice
};


But I still get some weird messages that I need to suppress like this


redef Weird::weird_action: table[string] of Weird::WeirdAction += {
        [["above_hole_data_without_any_acks",
          "bad_TCP_checksum",
          "unmatched_HTTP_reply",
          "connection_originator_SYN_ack",
          "window_recision",
          "unescaped_special_URI_char",
          "bad_UDP_checksum",
          "data_before_established",
          "inflate_failed",
          "line_terminated_with_single_CR"
        ]] = Weird::WEIRD_IGNORE
};

Ideas?

Thanks,
-Tim



More information about the Bro mailing list