[Bro] [EXTERNAL] changing log output

John Ives jives at security.berkeley.edu
Thu Nov 3 16:30:30 PDT 2016


Jereme,

Thank you very much that seems to have done the trick for disabling the
http.log.

John


On 11/3/16 3:56 PM, Lamps, Jereme wrote:
> This will do it for you I think:
> 
> event bro_init() {
>  Log::disable_stream(HTTP::LOG);
> }
> 
> 
> 
> Jereme
> 
> On 11/3/16, 4:36 PM, "bro-bounces at bro.org on behalf of John Ives"
> <bro-bounces at bro.org on behalf of jives at security.berkeley.edu> wrote:
> 
>> I'm trying to configure bro to work within some proposed privacy
>> policies. For example, one of the things we may not be allowed to store
>> is the http traffic logs. I want bro to still know (internally) what is
>> happening in these streams so that it can use it for other functions
>> (like sqli detection which loads http), just not output the normal logs.
>> I had thought to do this through Notice::ignored_types
>> in local.bro, however the following is still outputting the http.log file.
>>
>> redef Notice::ignored_types += {
>>  SSL::Invalid_Server_Cert,
>>  HTTP::LOG,
>> };
>>
>> Additionally, I suspect that while this method (if I get it to work) may
>> result in sqli notices, I am not sure it will result in me getting the
>> attack data. For example, if a sqli attack is detected, I would like the
>> http.log style string to be output to a file.
>>
>> Any suggestions on how first to prevent the http.log file creation and
>> then make sure the offending traffic is recorded for detect-sqli.bro?
>>
>> Yours,
>>
>> John
>>
>> -- 
>> ------------------------------------------------------------------------
>> John Ives
>> Information Security & Policy			    Phone (510) 229-8676
>> University of California, Berkeley
>> ------------------------------------------------------------------------
>>
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 

-- 
------------------------------------------------------------------------
John Ives
Information Security & Policy			    Phone (510) 229-8676
University of California, Berkeley
------------------------------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 481 bytes
Desc: OpenPGP digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161103/a46d9594/attachment.bin 


More information about the Bro mailing list