[Bro] Exclude S0 connections from conn.log?
Mike Eriksson
mike at swedishmike.org
Mon Jul 17 05:36:48 PDT 2017
All,
With the pointers from Jan, and some earlier replies to an earlier
question, I've managed to cobble together the following:
<- Cut ->
module LogFilter;
event bro_init()
{
Log::remove_default_filter(Conn::LOG);
Log::add_filter(Conn::LOG, [$name = "conn-filter-external-S0",
$pred(rec: Conn::Info) = {
local result = T;
if ((/^S0$/ in rec$conn_state) &&
(!Site::is_local_addr(rec$id$orig_h)))
result = F;
return result;
}
]);
}
<- Cut ->
It _seems_ to be working as expected so I thought I'd post it here. For two
reasons ;)
1. It could help someone else in the same predicament.
2. There could be a better way of doing it - or even a correct one ;) - and
someone might spot my mistake(s).
Cheers, Mike
On Mon, Jul 17, 2017 at 9:42 AM Jan Grashöfer <jan.grashoefer at gmail.com>
wrote:
> Hi Mike,
>
> > Basically what I'd like to achieve is for the script to not log any
> events
> > with a conn_state of S0 if the originating node is not in my local
> > networks.
> >
> > If someone could give me some guidance on how to achieve this I'd be
> > forever grateful.
>
> you can use a filter (e.g., change the default one):
> https://www.bro.org/sphinx/frameworks/logging.html#filter-log-records
>
> There is also a blog post
> (http://blog.bro.org/2012/02/filtering-logs-with-bro.html) with a couple
> of examples as well as scripts available on github (e.g.,
>
> https://github.com/michalpurzynski/bro-gramming/blob/master/filter_noise_conn.bro
> ).
>
> Jan
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170717/a4fdc02c/attachment.html
More information about the Bro
mailing list