[Bro] Creating multiple notice logs
Azoff, Justin S
jazoff at illinois.edu
Fri May 13 08:00:12 PDT 2016
> On May 13, 2016, at 10:44 AM, Dave Crawford <bro at pingtrip.com> wrote:
>
> Does anyone have an example of diverting specific notices to a new log file?
>
> Is the right approach to hook "Notice::policy" (with priority), Log:write to the new log stream and then 'break' from the hook?
>
> -Dave
Yes.. you're on the right track. As it turns out I have a script that does exactly that.
The input file is so I can have a file with rows like
#fields ip note reason timestamp
1.2.3.4 TeamCymruMalwareHashRegistry::Match test box 1445362562
The key thing that my script does is
n$actions = set();
If you just wanted to move some notices to a different log file you could accomplish that much easier by using Log::add_filter with a path_func.
--
- Justin Azoff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160513/a0dee435/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ignore-notices.bro
Type: application/octet-stream
Size: 1025 bytes
Desc: ignore-notices.bro
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160513/a0dee435/attachment.obj
More information about the Bro
mailing list