[Bro] changing log output
John Ives
jives at security.berkeley.edu
Thu Nov 3 15:36:48 PDT 2016
I'm trying to configure bro to work within some proposed privacy
policies. For example, one of the things we may not be allowed to store
is the http traffic logs. I want bro to still know (internally) what is
happening in these streams so that it can use it for other functions
(like sqli detection which loads http), just not output the normal logs.
I had thought to do this through Notice::ignored_types
in local.bro, however the following is still outputting the http.log file.
redef Notice::ignored_types += {
SSL::Invalid_Server_Cert,
HTTP::LOG,
};
Additionally, I suspect that while this method (if I get it to work) may
result in sqli notices, I am not sure it will result in me getting the
attack data. For example, if a sqli attack is detected, I would like the
http.log style string to be output to a file.
Any suggestions on how first to prevent the http.log file creation and
then make sure the offending traffic is recorded for detect-sqli.bro?
Yours,
John
--
------------------------------------------------------------------------
John Ives
Information Security & Policy Phone (510) 229-8676
University of California, Berkeley
------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 481 bytes
Desc: OpenPGP digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161103/4f1f3681/attachment.bin
More information about the Bro
mailing list