[Bro] Disabling an analyzer in weird
James Lay
jlay at slave-tothe-box.net
Fri Mar 10 13:22:49 PST 2017
Thanks Jan,
I got this to fly with disabling the analyzer, but as I look at the
weird.log there are several items I'd like to filter out. For example:
dns_unmatched_msg
inappropriate_FIN
and others. I've looked at the code snippet as shown below:
function http_only(rec: Conn::Info) : bool
{
# Record only connections with successfully analyzed HTTP traffic
return rec?$service && rec$service == "http";
}
event bro_init()
{
local filter: Log::Filter = [$name="http-only", $path="conn-http",
$pred=http_only];
Log::add_filter(Conn::LOG, filter);
}
and, as usual when I stare at bro code snippets, I'm completely lost. I
get that the above creates a new log and only http from conn.log, but I
have no idea how to tweak this to filter out things from weird.log.
I've looked at:
http://try.bro.org/#/?example=logs-filter-logs
http://blog.bro.org/2012/02/filtering-logs-with-bro.html
https://www.bro.org/development/projects/logging-api.html
I see a lot of these are about splitting into new logs or filtering out
fields...none of which I want to do. Any additional guidance on
negating entries from logs would be excellent. Thank you...bro always
makes me feel stupid 8-/
James
On 2017-03-10 12:30, Jan Grashöfer wrote:
>> Thanks Jan. So I did more digging...this used to work in 2.4.1:
>>
>> http://mailman.icsi.berkeley.edu/pipermail/bro/2014-July/007178.html
>>
>> But now no longer...I guess I don't want to see binpac exceptions in
>> weird. Any folks have any thoughts on this? Thank you.
>
> So if disabling the syslog analyzer completely is ok for you that should
> just work fine with 2.5. Do you see any errors?
>
> Jan
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170310/ee046aa9/attachment.html
More information about the Bro
mailing list