[Bro] Disabling an analyzer in weird

James Lay jlay at slave-tothe-box.net
Fri Mar 10 15:11:21 PST 2017


Perfect...thanks Shane and Jan...I'll give it a go and report my 
findings.

James

On 2017-03-10 15:05, Jan Grashöfer wrote:
>> Specifically to weird logging, you can redef individual messages:
>> 
>>     redef Weird::actions["dns_unmatched_msg"] = Weird::ACTION_IGNORE;
>>     redef Weird::actions["dns_unmatched_reply"] = 
>> Weird::ACTION_IGNORE;
> 
> Just remembered that as I read "dns_unmatched_reply". Thanks for 
> helping
> out, Shane!
> 
>> Re-reading, didn't realize there were more actions than IGNORE(and 
>> LOG).
>> Smart.
> 
> That's the reason why this mechanism would be preferred for filtering 
> weird.
> 
> Thanks,
> Jan
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


More information about the Bro mailing list