[Bro] [EXTERNAL] changing log output
John Ives
jives at security.berkeley.edu
Thu Nov 3 16:30:30 PDT 2016
Jereme,
Thank you very much that seems to have done the trick for disabling the
http.log.
John
On 11/3/16 3:56 PM, Lamps, Jereme wrote:
> This will do it for you I think:
>
> event bro_init() {
> Log::disable_stream(HTTP::LOG);
> }
>
>
>
> Jereme
>
> On 11/3/16, 4:36 PM, "bro-bounces at bro.org on behalf of John Ives"
> <bro-bounces at bro.org on behalf of jives at security.berkeley.edu> wrote:
>
>> I'm trying to configure bro to work within some proposed privacy
>> policies. For example, one of the things we may not be allowed to store
>> is the http traffic logs. I want bro to still know (internally) what is
>> happening in these streams so that it can use it for other functions
>> (like sqli detection which loads http), just not output the normal logs.
>> I had thought to do this through Notice::ignored_types
>> in local.bro, however the following is still outputting the http.log file.
>>
>> redef Notice::ignored_types += {
>> SSL::Invalid_Server_Cert,
>> HTTP::LOG,
>> };
>>
>> Additionally, I suspect that while this method (if I get it to work) may
>> result in sqli notices, I am not sure it will result in me getting the
>> attack data. For example, if a sqli attack is detected, I would like the
>> http.log style string to be output to a file.
>>
>> Any suggestions on how first to prevent the http.log file creation and
>> then make sure the offending traffic is recorded for detect-sqli.bro?
>>
>> Yours,
>>
>> John
>>
>> --
>> ------------------------------------------------------------------------
>> John Ives
>> Information Security & Policy Phone (510) 229-8676
>> University of California, Berkeley
>> ------------------------------------------------------------------------
>>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
--
------------------------------------------------------------------------
John Ives
Information Security & Policy Phone (510) 229-8676
University of California, Berkeley
------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 481 bytes
Desc: OpenPGP digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161103/a46d9594/attachment.bin
More information about the Bro
mailing list