[Bro] The code for "weird" logging activity.
fatema bannatwala
fatema.bannatwala at gmail.com
Mon Oct 16 12:58:43 PDT 2017
Hey All,
So, I was going through the weird.log file generated by bro every hour,
and found lot of activity that I would like to suppress, and for some
activity I would like to know the source (i.e. what part of bro code is
raising those
"weird" activity logs in the weird.log) to analyse whether it's legit or
can be suppressed.
For example, I would like to suppress "DNS_RR_unknown_type 46", as it's ,
I think, is not an unknown-type, it's defined in RFC 4034 as "RRSIG" (and
some other similar weird activity.)
Hence, wanted to see what code during packet analysis might have raised one
of the *_weird events to log that connection.
I was searching for the string "weird" in an effort to find the Bro scripts
that either load weird or create a log stream in weird.log, but couldn't
find the code/script
that is responsible for those notices in weird.log
P.S: I know about the weird.bro in notice framework, I am searching for
part of the code that would *use* *_weird events to log weird activity in
weird.log.
Checked policy/base dirs :
policy]$ find . -type f -exec cat {} + | grep "weird"
##! This script handles core generated connection related "weird" events to
##! push weird information about connections into the weird framework.
# This is weird beause it would mean that someone didn't
event conn_weird("smb_pipe_request_missing_uuid", c, "");
# This is weird: the inquirer must also be providing
answers in
Any pointers to the right direction would be really appreciated :)
Thanks,
Fatema.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171016/01ab4007/attachment.html
More information about the Bro
mailing list