[Bro] Exclude S0 connections from conn.log?

Jan Grashöfer jan.grashoefer at gmail.com
Mon Jul 17 01:40:35 PDT 2017


Hi Mike,

> Basically what I'd like to achieve is for the script to not log any events
> with a conn_state of S0 if the originating node is not in my local
> networks.
> 
> If someone could give me some guidance on how to achieve this I'd be
> forever grateful.

you can use a filter (e.g., change the default one):
https://www.bro.org/sphinx/frameworks/logging.html#filter-log-records

There is also a blog post
(http://blog.bro.org/2012/02/filtering-logs-with-bro.html) with a couple
of examples as well as scripts available on github (e.g.,
https://github.com/michalpurzynski/bro-gramming/blob/master/filter_noise_conn.bro).

Jan


More information about the Bro mailing list