[Bro] HTTP Log filter
Brandon Sterne
brandon.sterne at gmail.com
Thu Sep 27 21:34:30 PDT 2018
I recently implemented a filter to prevent URLs matching a particular regex
from getting logged. You could adapt this to your User-Agent condition
fairly easily:
##! This script ignores particular events that we don't want winding up in
the
##! Bro logs.
##!
##! Useful docs:
##! https://www.bro.org/development/projects/logging-api.html
##!
https://www.bro.org/sphinx-git/frameworks/logging.html#filter-log-records
@load base/protocols/http
# Filter unwanted HTTP events, like the /app_info/status requests.
function http_not_ignored(rec: HTTP::Info) : bool
{
if (rec?$uri && /app_info/ in rec$uri) {
return F;
}
return T;
}
event bro_init()
{
# First remove the default filter for HTTP logs.
Log::remove_default_filter(HTTP::LOG);
# Add an HTTP filter back in to log only the events we want.
Log::add_filter(HTTP::LOG, [$name = "http-not-ignored",
$path = "http",
$pred = http_not_ignored]);
}
Cheers,
Brandon
On Thu, Sep 27, 2018 at 6:59 AM Rick Chisholm <chavez243 at gmail.com> wrote:
> Need to find a way to filter all traffic from a particular user-agent so
> that it does not get logged.
>
> Been reading docs and reviewing .bro files, but still kind of stumped.
> Any help is greatly appreciated.
>
> TIA
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180927/f12ef9c0/attachment.html
More information about the Bro
mailing list