[Bro] Question: using Log Filter Framework

James Dickenson jdickenson at gmail.com
Tue Aug 29 13:31:06 PDT 2017 

Thanks Justin!

That did the trick, now I can start getting myself into deeper trouble!

-James

On Tue, Aug 29, 2017 at 11:14 AM, Azoff, Justin S <jazoff at illinois.edu> wrote:
>
>> On Aug 29, 2017, at 1:54 PM, James Dickenson <jdickenson at gmail.com> wrote:
>>
>> Hey All,
>>
>> Hey I've been trying to use the log filter framework to filter out
>> various things like certain IP ranges and other records.  Here is my
>> attempt but Bro is complaining about line 8 saying my syntax isn't
>> correct.   Does anyone know what I'm doing wrong?  I've been using
>> Seth's blog post on the framework as an example of how to build the
>> log filters.  --->
>> http://blog.bro.org/2012/02/filtering-logs-with-bro.html
>>
>>
>> Thanks in advance!
>>
>> -James D.
>>
>>
>> ###### code #######
>>
>> global filter_ip_set: subnet = 1.0.0.0/8 &redef;
>>
>> event bro_init()
>>        {
>>        Log::remove_default_filter(HTTP::LOG);
>>        Log::add_filter(HTTP::LOG, [$name="orig_h_filter",
>>                                    $pred(rec: HTTP::Info) = {
>>                                    rec$id$orig_h in $filter_ip_set;
>>                                    } ]);
>>        Log::add_filter(HTTP::LOG, [$name="resp_h_filter",
>>                                    $pred(rec: HTTP::Info) = {
>>                                    rec$id$resp_h in $filter_ip_set;
>>                                    } ]);
>>        }
>>
>> #########################
>>
>> ###### error ########
>> error in **snip*** test.bro, line 8: syntax error, at or near ";"
>
> That just has 2 small issues:
>
> $filter_ip_set should be filter_ip_set and the pred function needs to return a boolean, so:
>
>        Log::add_filter(HTTP::LOG, [$name="orig_h_filter",
>                                    $pred(rec: HTTP::Info) = {
>                                    return rec$id$orig_h in filter_ip_set;
>                                    } ]);
>
> Personally I'd format that sort of thing like
>
>     Log::add_filter(HTTP::LOG, [
>         $name="orig_h_filter",
>         $pred(rec: HTTP::Info) = {
>             return rec$id$orig_h in filter_ip_set;
>         }
>     ]);
>
> Also, not sure if that is just an example, but you'd probably want something like
>
>     Log::add_filter(HTTP::LOG, [
>         $name="host_filter",
>         $pred(rec: HTTP::Info) = {
>             return rec$id$orig_h in filter_ip_set || rec$id$resp_h in filter_ip_set;
>         }
>     ]);
>
>
> Finally.. if you are doing more complicated things in the pred function splitting the statement up can help readability.
>
> function interesting_connections(rec: HTTP::Info): bool
> {
>     return rec$id$orig_h in filter_ip_set || rec$id$resp_h in filter_ip_set;
> }
>
> event bro_init()
> {
>     local filter: Log::Filter = [$name="host_filter", $pred=interesting_connections];
>     Log::add_filter(HTTP::LOG, filter);
> }
>
>
>
>
> --
> - Justin Azoff

More information about the Bro mailing list