[Bro] Filtering PacketFilter::Dropped_Packets
Will
baxterw3232 at gmail.com
Tue Apr 17 05:51:33 PDT 2012
On Tue, Apr 17, 2012 at 6:34 AM, Seth Hall <seth at icir.org> wrote:
>
> On Apr 16, 2012, at 8:18 PM, Martin Holste wrote:
>
>> But I'm still getting a ton of "PacketFilter::Dropped_Packets" to notice.log.
>> What do I need to do to disable these messages?
>
> Notice processing docs:
> http://www.bro-ids.org/documentation/notice.html
>
> You can use the notice ignore shortcut because you want to completely ignore a notice type:
> http://www.bro-ids.org/documentation/notice.html#id7
>
> redef Notice::ignored_types += { PacketFilter::Dropped_Packets };
>
That didn't appear to completely work for me as the default action
still seemed to be applied.
I changed it to this:
redef Notice::policy += { [$pred(n: Notice::Info) = {return n$note ==
PacketFilter::Dropped_Packets; }, $action = Notice::ACTION_NONE, $halt
= T] };
Before adding '$halt=T', the action in the log listed both ACTION_NONE
and ACTION_LOG.
-will
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list