[Bro] Converting a Bro Script to A New Stream
Justin Azoff
JAzoff at albany.edu
Mon Aug 20 07:07:00 PDT 2012
On Thu, Aug 16, 2012 at 05:32:28PM -0400, Chris Crawford wrote:
> I have a short bro script that I wrote that hooks the DNS log
> (http://www.bro-ids.org/documentation/logging.html#hooking-into-the-logging).
> Each time a DNS::log_dns event fires, if a specific IP is in
> rec$answers, the script prints out rec$ts, rec$uid, rec$id$orig_h, and
> rec$query.
>
> I want the entries from the script to go to their own log, though. I
> am struggling to figure out how to make that work. Based on the
> documentation for logging, it looks like I'd need to define a new
> Stream to create a new log file.
> (http://www.bro-ids.org/documentation/logging.html#adding-streams)
This is really simple.. see some of the examples here:
http://blog.bro-ids.org/2012/02/filtering-logs-with-bro.html
You want to use Log:add_filter with a pred function that does the
filtering. like this example:
Log::add_filter(HTTP::LOG, [$name = "http-executables",
$path = "http_exe",
$pred(rec: HTTP::Info) = { return rec?$mime_type && rec$mime_type == "application/x-dosexec"; }]);
--
-- Justin Azoff
-- Network Security & Performance Analyst
More information about the Bro
mailing list