[Zeek] Not recording SOME dns lookups...
Justin Azoff
justin at corelight.com
Mon Aug 12 11:15:35 PDT 2019
Log filtering is what you want. The examples on
https://blog.zeek.org/2012/02/filtering-logs-with-bro.html come close,
specifically example 3. to fully filter the queries instead of just
splitting them off, you'd use something like
global ignore_queries: set[string] = { "example.com", "example.org"};
function ignore_some_queries(rec: DNS::Info): bool
{
if(!rec?$query)
return T;
return (rec$query !in ignore_queries);
}
event bro_init()
{
Log::remove_default_filter(DNS::LOG);
Log::add_filter(DNS::LOG, [
$name = "dns_filtered",
$pred = ignore_some_queries
]);
}
On Mon, Aug 12, 2019 at 1:46 PM Jason Blakey <j.blakey at rheagroup.com> wrote:
> Hi all,
>
> I've got a site that i'm running BRO on that is generating TONS of DNS
> events. About 50% of all log file bytes are DNS related. And most of it
> is repeated lookup of a single a single domain name.
>
> Is there any way (maybe using restrict_filters, maybe something else) to
> NOT log these DNS events for this specific hostname? I've done some poking
> around on google, but nothing's jumping out at me.
>
> Thanks,
> jason
>
> <https://www.linkedin.com/company/rheagroup>
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
--
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190812/9e9122fd/attachment.html
More information about the Zeek
mailing list