[Bro] Disabling an analyzer in weird

James Lay jlay at slave-tothe-box.net
Mon Mar 13 13:49:11 PDT 2017


Big thanks to Jan...I have so much to learn about bro 8-|  Anyway 
solution below for filtering out binpac exception:

function filter_weird (rec: Weird::Info) : bool
      {
      return /binpac exception/ ! in rec$name;
      }

event bro_init()
      {
      local filter: Log::Filter = Log::get_filter(Weird::LOG, "default");
      filter$pred=filter_weird;
      Log::add_filter(Weird::LOG, filter);
      }

Thanks again Jan!

James

On 2017-03-13 13:33, Jan Grashöfer wrote:
> Hi James,
> 
>> Well I gave it a shot...no go though:
>> 
>> 1489425830.509505       CD8sYx3dttq6ynlg2c      x.x.x.x      51132
>> x.x.x.x      514     binpac exception: string mismatch at
>> /home/build/bro-2.5/src/analyzer/protocol/syslog/syslog-protocol.pac:8:
>> \x0aexpected pattern: "[[:digit:]]+"\x0aactual data:
>> "<snip>x09MSWinEventLog\x091\x09Application\x09674838\x09Mon Mar 13
>> 11:23:50 <snip> \x0a"        -       F       worker-3-5
> 
> How did you customize the filter_weird function to match that line?
> Looks like the name field also contains some context-dependent info, so
> that you might need a regex. However, if you see a lot of this, it 
> might
> be a good idea to dig deeper into the analyzer. Can you provide a pcap
> for testing?
> 
> Jan


More information about the Bro mailing list