[Bro] Disabling an analyzer in weird
James Lay
jlay at slave-tothe-box.net
Mon Mar 13 13:02:05 PDT 2017
Hi Jan,
Thanks for looking at this...I don't want to be a pest and we can take
this off list if we need to so as not to drive all the smart people
crazy :) Here's what I added:
function filter_weird (rec: Weird::Info) : bool
{
return rec$name ! in set("binpac exception");
}
event bro_init()
{
local filter: Log::Filter = Log::get_filter(Weird::LOG, "default");
filter$pred=filter_weird;
Log::add_filter(Weird::LOG, filter);
}
This is getting "syslogs" from Windows machines via a third party app.
Clearly not adhering to the RFC. As for pcap, I cannot as this is
sensitive data :( I can share more details off list if needed. Thank
you.
James
On 2017-03-13 13:33, Jan Grashöfer wrote:
> Hi James,
>
>> Well I gave it a shot...no go though:
>>
>> 1489425830.509505 CD8sYx3dttq6ynlg2c x.x.x.x 51132
>> x.x.x.x 514 binpac exception: string mismatch at
>> /home/build/bro-2.5/src/analyzer/protocol/syslog/syslog-protocol.pac:8:
>> \x0aexpected pattern: "[[:digit:]]+"\x0aactual data:
>> "<snip>x09MSWinEventLog\x091\x09Application\x09674838\x09Mon Mar 13
>> 11:23:50 <snip> \x0a" - F worker-3-5
>
> How did you customize the filter_weird function to match that line?
> Looks like the name field also contains some context-dependent info, so
> that you might need a regex. However, if you see a lot of this, it
> might
> be a good idea to dig deeper into the analyzer. Can you provide a pcap
> for testing?
>
> Jan
More information about the Bro
mailing list