[Bro] Disable Log Stream but not the analyzers

Azoff, Justin S jazoff at illinois.edu
Fri Nov 23 08:47:03 PST 2018


Read my response again...

Using Log::remove_default_filter does what you want.  You used remove_stream which is something different.

________________________________
From: Alex Kefallonitis <al.kefallonitis at gmail.com>
Sent: Thursday, November 22, 2018 5:05:48 AM
To: michalpurzynski1 at gmail.com
Cc: Azoff, Justin S; Bro at bro.org
Subject: Re: [Bro] Disable Log Stream but not the analyzers

So there is no way to disable specific logs but still use the analyzers in the script ? The scripts are reading the actual logs and needed from them to work ?

Στις Πέμ, 22 Νοε 2018 στις 10:58 π.μ., ο/η Michał Purzyński <michalpurzynski1 at gmail.com<mailto:michalpurzynski1 at gmail.com>> έγραψε:
Indeed, scripts you’re showing depend on the log streams you just disabled.

On Nov 22, 2018, at 12:39 AM, Alex Kefallonitis <al.kefallonitis at gmail.com<mailto:al.kefallonitis at gmail.com>> wrote:


Hi i did change it but no logs regarding http are produced like https://raw.githubusercontent.com/sethhall/bro-scripts/master/top-websites.bro or https://github.com/BrashEndeavours/bro-scripts/blob/master/http_entropy.bro .


<image.png>

<image.png>

Στις Τετ, 21 Νοε 2018 στις 11:03 μ.μ., ο/η Azoff, Justin S <jazoff at illinois.edu<mailto:jazoff at illinois.edu>> έγραψε:

Hi,


Using


    Log::remove_default_filter(HTTP::LOG);

instead of disable_stream should do what you want.

________________________________
From: bro-bounces at bro.org<mailto:bro-bounces at bro.org> <bro-bounces at bro.org<mailto:bro-bounces at bro.org>> on behalf of Alex Kefallonitis <al.kefallonitis at gmail.com<mailto:al.kefallonitis at gmail.com>>
Sent: Wednesday, November 21, 2018 4:28:32 AM
To: Bro at bro.org<mailto:Bro at bro.org>
Subject: [Bro] Disable Log Stream but not the analyzers

I have disabled the Log Stream for HTTP :

event bro_init()
  {
    Log::disable_stream(HTTP::LOG);
 }

But i want scripts using HTTP protocol to work e.g https://raw.githubusercontent.com/sethhall/bro-scripts/master/top-websites.bro<https://urldefense.proofpoint.com/v2/url?u=https-3A__raw.githubusercontent.com_sethhall_bro-2Dscripts_master_top-2Dwebsites.bro&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=Upw7RnEppKcwibJKc4KDIUBeI-V2RkeYtIWL5FNnXH0&s=CC6T1M5j865G11CwDqWWObidSeRZpMkhelQhnJtSHXw&e=>

Is there any other way to do it ?
_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181123/d597f015/attachment.html 


More information about the Bro mailing list