[Bro] Exclude S0 connections from conn.log?

Mike Eriksson mike at swedishmike.org
Mon Jul 17 05:36:48 PDT 2017


All,

With the pointers from Jan, and some earlier replies to an earlier
question, I've managed to cobble together the following:

<- Cut ->
module LogFilter;

event bro_init()
{
        Log::remove_default_filter(Conn::LOG);
        Log::add_filter(Conn::LOG, [$name = "conn-filter-external-S0",
                                    $pred(rec: Conn::Info) = {
                        local result = T;
                        if ((/^S0$/ in rec$conn_state) &&
(!Site::is_local_addr(rec$id$orig_h)))
                            result = F;
                        return result;
                        }
                        ]);
}
<- Cut ->

It _seems_ to be working as expected so I thought I'd post it here. For two
reasons ;)

1. It could help someone else in the same predicament.
2. There could be a better way of doing it - or even a correct one ;) - and
someone might spot my mistake(s).

Cheers, Mike

On Mon, Jul 17, 2017 at 9:42 AM Jan Grashöfer <jan.grashoefer at gmail.com>
wrote:

> Hi Mike,
>
> > Basically what I'd like to achieve is for the script to not log any
> events
> > with a conn_state of S0 if the originating node is not in my local
> > networks.
> >
> > If someone could give me some guidance on how to achieve this I'd be
> > forever grateful.
>
> you can use a filter (e.g., change the default one):
> https://www.bro.org/sphinx/frameworks/logging.html#filter-log-records
>
> There is also a blog post
> (http://blog.bro.org/2012/02/filtering-logs-with-bro.html) with a couple
> of examples as well as scripts available on github (e.g.,
>
> https://github.com/michalpurzynski/bro-gramming/blob/master/filter_noise_conn.bro
> ).
>
> Jan
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170717/a4fdc02c/attachment.html 


More information about the Bro mailing list