[Bro] Disabling an analyzer in weird

Jan Grashöfer jan.grashoefer at gmail.com
Fri Mar 10 14:05:20 PST 2017


> Specifically to weird logging, you can redef individual messages:
> 
>     redef Weird::actions["dns_unmatched_msg"] = Weird::ACTION_IGNORE;
>     redef Weird::actions["dns_unmatched_reply"] = Weird::ACTION_IGNORE;

Just remembered that as I read "dns_unmatched_reply". Thanks for helping
out, Shane!

> Re-reading, didn't realize there were more actions than IGNORE(and LOG).
> Smart.

That's the reason why this mechanism would be preferred for filtering weird.

Thanks,
Jan


More information about the Bro mailing list