[Bro] Disabling an analyzer in weird
James Lay
jlay at slave-tothe-box.net
Fri Mar 10 15:28:02 PST 2017
Well I'm certainly close. Thanks to the redef I'm able to squelch out a
lot of noise, but alas, not the binpac exception. If I disable the
analyzer I don't get any syslog.log file, so that's not what I need in
this case. I'll keep digging..thanks again for all the help.
James
On 2017-03-10 16:11, James Lay wrote:
> Perfect...thanks Shane and Jan...I'll give it a go and report my
> findings.
>
> James
>
> On 2017-03-10 15:05, Jan Grashöfer wrote:
>>> Specifically to weird logging, you can redef individual messages:
>>>
>>> redef Weird::actions["dns_unmatched_msg"] = Weird::ACTION_IGNORE;
>>> redef Weird::actions["dns_unmatched_reply"] =
>>> Weird::ACTION_IGNORE;
>>
>> Just remembered that as I read "dns_unmatched_reply". Thanks for
>> helping
>> out, Shane!
>>
>>> Re-reading, didn't realize there were more actions than IGNORE(and
>>> LOG).
>>> Smart.
>>
>> That's the reason why this mechanism would be preferred for filtering
>> weird.
>>
>> Thanks,
>> Jan
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list