[Bro] [EXTERNAL] changing log output
Lamps, Jereme
jlamps at sandia.gov
Thu Nov 3 15:56:49 PDT 2016
This will do it for you I think:
event bro_init() {
Log::disable_stream(HTTP::LOG);
}
Jereme
On 11/3/16, 4:36 PM, "bro-bounces at bro.org on behalf of John Ives"
<bro-bounces at bro.org on behalf of jives at security.berkeley.edu> wrote:
>I'm trying to configure bro to work within some proposed privacy
>policies. For example, one of the things we may not be allowed to store
>is the http traffic logs. I want bro to still know (internally) what is
>happening in these streams so that it can use it for other functions
>(like sqli detection which loads http), just not output the normal logs.
> I had thought to do this through Notice::ignored_types
>in local.bro, however the following is still outputting the http.log file.
>
>redef Notice::ignored_types += {
> SSL::Invalid_Server_Cert,
> HTTP::LOG,
> };
>
>Additionally, I suspect that while this method (if I get it to work) may
>result in sqli notices, I am not sure it will result in me getting the
>attack data. For example, if a sqli attack is detected, I would like the
>http.log style string to be output to a file.
>
>Any suggestions on how first to prevent the http.log file creation and
>then make sure the offending traffic is recorded for detect-sqli.bro?
>
>Yours,
>
>John
>
>--
>------------------------------------------------------------------------
>John Ives
>Information Security & Policy Phone (510) 229-8676
>University of California, Berkeley
>------------------------------------------------------------------------
>
More information about the Bro
mailing list