[Bro] Exclude S0 connections from conn.log?
Jan Grashöfer
jan.grashoefer at gmail.com
Mon Jul 17 01:40:35 PDT 2017
Hi Mike,
> Basically what I'd like to achieve is for the script to not log any events
> with a conn_state of S0 if the originating node is not in my local
> networks.
>
> If someone could give me some guidance on how to achieve this I'd be
> forever grateful.
you can use a filter (e.g., change the default one):
https://www.bro.org/sphinx/frameworks/logging.html#filter-log-records
There is also a blog post
(http://blog.bro.org/2012/02/filtering-logs-with-bro.html) with a couple
of examples as well as scripts available on github (e.g.,
https://github.com/michalpurzynski/bro-gramming/blob/master/filter_noise_conn.bro).
Jan
More information about the Bro
mailing list