[Bro] Filtering PacketFilter::Dropped_Packets
Martin Holste
mcholste at gmail.com
Tue Apr 17 06:41:29 PDT 2012
Looks like Will's method is working. Thanks much!
On Tue, Apr 17, 2012 at 7:51 AM, Will <baxterw3232 at gmail.com> wrote:
> On Tue, Apr 17, 2012 at 6:34 AM, Seth Hall <seth at icir.org> wrote:
>>
>> On Apr 16, 2012, at 8:18 PM, Martin Holste wrote:
>>
>>> But I'm still getting a ton of "PacketFilter::Dropped_Packets" to notice.log.
>>> What do I need to do to disable these messages?
>>
>> Notice processing docs:
>> http://www.bro-ids.org/documentation/notice.html
>>
>> You can use the notice ignore shortcut because you want to completely ignore a notice type:
>> http://www.bro-ids.org/documentation/notice.html#id7
>>
>> redef Notice::ignored_types += { PacketFilter::Dropped_Packets };
>>
>
> That didn't appear to completely work for me as the default action
> still seemed to be applied.
>
> I changed it to this:
> redef Notice::policy += { [$pred(n: Notice::Info) = {return n$note ==
> PacketFilter::Dropped_Packets; }, $action = Notice::ACTION_NONE, $halt
> = T] };
>
> Before adding '$halt=T', the action in the log listed both ACTION_NONE
> and ACTION_LOG.
>
> -will
>
>> .Seth
>>
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro-ids.org/
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list