[Bro] Disabling an analyzer in weird
James Lay
jlay at slave-tothe-box.net
Mon Mar 13 10:26:42 PDT 2017
Well I gave it a shot...no go though:
1489425830.509505 CD8sYx3dttq6ynlg2c x.x.x.x 51132
x.x.x.x 514 binpac exception: string mismatch at
/home/build/bro-2.5/src/analyzer/protocol/syslog/syslog-protocol.pac:8:
\x0aexpected pattern: "[[:digit:]]+"\x0aactual data:
"<snip>x09MSWinEventLog\x091\x09Application\x09674838\x09Mon Mar 13
11:23:50 <snip> \x0a" - F worker-3-5
Ok Seth...how does stop either a) weird from analyzing a protocol, or b)
logging binpac errors? Thanks.
James
On 2017-03-11 16:36, James Lay wrote:
> Thanks a bunch Jan...I'll give that a test and report my findings ☺
>
> James
>
> On Sat, 2017-03-11 at 21:46 +0100, Jan Grashöfer wrote:
>
>> Hi James,
>>
>>> Well I'm certainly close. Thanks to the redef I'm able to squelch
>>> out a lot of noise, but alas, not the binpac exception. If I
>>> disable the analyzer I don't get any syslog.log file, so that's
>>> not what I need in this case. I'll keep digging..thanks again for
>>> all the help.
>> if that particular notice is not listed in Weird::actions you can
>> still just filter manually. Something like that might work for you:
>> http://try.bro.org/#/trybro/saved/130377 Jan
>> _______________________________________________ Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list