[Bro] Disabling an analyzer in weird
Shane Filus
filus at psc.edu
Fri Mar 10 13:45:11 PST 2017
On 3/10/17 4:22 PM, James Lay wrote:
> Thanks Jan,
>
> I got this to fly with disabling the analyzer, but as I look at the
> weird.log there are several items I'd like to filter out. For example:
>
> dns_unmatched_msg
> inappropriate_FIN
Hi James,
Specifically to weird logging, you can redef individual messages:
redef Weird::actions["dns_unmatched_msg"] = Weird::ACTION_IGNORE;
redef Weird::actions["dns_unmatched_reply"] = Weird::ACTION_IGNORE;
https://www.bro.org/sphinx/scripts/base/frameworks/notice/weird.bro.html
Re-reading, didn't realize there were more actions than IGNORE(and LOG).
Smart.
Thanks!
Shane
More information about the Bro
mailing list