[Zeek] files.log
Michał Purzyński
michalpurzynski1 at gmail.com
Sat Dec 22 16:03:41 PST 2018
This is what I do. It allowed me to cut the number of files events by
like 70% and the total SIEM intake by a whooping 30%
You most definitely want to filter those out. Be aware there are some
drawbacks, though, like you just lost the trivial ability to correlate
x509-files-ssl but you combat that by correlating the "id" field from
the x509 log with the cert_chain_fuids field from the ssl.log
module LogFilter;
event bro_init()
{
Log::remove_default_filter(Files::LOG);
Log::add_filter(Files::LOG, [$name = "files-noise",
$pred(rec: Files::Info) = {
for (tx_host in rec$tx_hosts) {
if ((rec?$mime_type)
&& ((rec$mime_type == "application/pkix-cert") || (rec$mime_type ==
"application/x-x509-ca-cert") || (rec$mime_type ==
"application/x-x509-user-cert") ))
return F;
return T;
}
return T;
}
]);
}
On Sat, Dec 22, 2018 at 10:19 AM anthony kasza <anthony.kasza at gmail.com> wrote:
>
> You may find these walkthroughs helpful.
>
> https://blog.zeek.org/2012/02/filtering-logs-with-bro.html
> https://www.zeek.org/manual/release/frameworks/file-analysis.html#file-lifecycle-events
>
> -AK
>
> On Sat, Dec 22, 2018, 11:45 Alex Kefallonitis <al.kefallonitis at gmail.com wrote:
>>
>> Hi is there a way to exclude only application/pkix-cert from files.log ?
>>
>> Thanks in advanced
>> _______________________________________________
>> Zeek mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
> _______________________________________________
> Zeek mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
More information about the Zeek
mailing list