bro filter domain names

Charles_Dillard · November 4, 2020, 5:46pm

Hello, running bro version 2.5 on CentOS 7.

Our bro is old, working on getting it upgraded.

Is there a way – documentation would be good – to filter dns domains out using bro configs?

We see this:

…/bro/site/postbody/postbody.bro

const no_ref_bl = /“api.viglink.com”/ |/“app.huvle.com”/ |
/“developer.myntra.com”/|
/".youdao.com"/ |
/“log.getdropbox.com”/ |
/“api.lytics.io”/ |
/“eohlan0”/ |
/".sogou.com"/ |
/".ge.com"/ |
/“stats.pandora.com”/ |
/“printer-installer.itssc.alstom.com”/|
/“slotbonanza.com”/ |
/“a.foxsports.com”/ |
/“www.geroutes.com”/ |
/3.\d{1,3}.\d{1,3}.\d{1,3}/ |
/10.\d{1,3}.\d{1,3}.\d{1,3}/
&redef;

Is it as simple as adding a line like /“microsoft.com”/ | below, say, /“a.foxsports.com”/ | ?

Many thanks, bro/zeek team.

Topic		Replies	Views
filtering out unwanted domains from bro dns.log Zeek	2	341	May 6, 2022
Logging filter for Bro Zeek	3	93	May 6, 2022
new to bro, a few questions Zeek	2	76	May 6, 2022
Blacklist DNS alerting Zeek	2	84	May 6, 2022
Tuning Bro Zeek	2	74	May 6, 2022