bro_log_file and log_hook

In trying to turn off stderr spraying to the screen I found something that doesn't seem to provide enough info - or maybe I'm having a senior moment?

I stumbled across this and couldn't figure out how to implement log_hook in my policy file:

<http://www.bro-ids.org/Bro-reference-manual/log-Analysis-Script.html#log-Analysis-Script>

Trying to find more info I notice it is referring to "bro_log_file" but this is not a reference I can find in the html online docs or in the online PDF.

Searching bro-ids.org with google finds one other mention:

<http://www.bro-ids.org/Bro-reference-manual/Uncategorized.html>

but does not help me understand the logging much better.

Is there a missing link to a "bro_log_file" reference on the site? Grep'ing in the policy dir didn't find any examples of "log_hook" to copy.

TIA

Forgot to add, log_hook reference at

<http://www.bro-ids.org/Bro-reference-manual/Predefined-Functions.html>

also seems to reference missing docs.

In trying to turn off stderr spraying to the screen I found something that
doesn't seem to provide enough info - or maybe I'm having a senior moment?

No, you don't. With Bro 0.9a7, there has been a change of names with
regards to "log", "alert", "alarm", etc. to make their uses more
consistent/intuitive (see the CHANGES entry for more information).
The docs haven't been updated yet.

The former "log_hook" is now called "alarm_hook". Here's an example:

   function alarm_hook(msg: string): bool
        {
        print "Foo", msg;
        return T;
        }

   alarm "Bar";

   > ./bro ./a.bro
   Foo, Bar
   1146240414.805556 Bar

Robin

Thanks, Robin. Very helpful.

I've got something working but...

weird.bro gets @load'ed and I end up with lots of weird messages sprayed to the screen.

How do I turn this off via alarm_hook?

My messages (print via alarm()) work fine but the weird stuff is still spraying. Probably a tidbit I'm missing?

Here's what I've got...ignore whether what is printed makes sense - just playing/learning the lingo.

function alarm_hook(msg: string): bool
{
     print msg;
     return F;
}

event connection_established(c: connection)
{
     local id = c$id;
     local service = id$resp_p;
     local inbound = is_local_addr(id$resp_h);

     if ( id$resp_h in mail_servers )
     {

         if ( inbound && [ id$resp_h, service ] !in allowed_mail_services )
         {
             alarm fmt("out of scope (mail) : %s", full_id_string(c));
         }
     }
}

The output looks kinda like:

1146059131.898819 weird: spontaneous_RST
1146059132.021314 weird: spontaneous_RST
1146059132.942845 weird: unsolicited_SYN_response
1146059132.945050 weird: unsolicited_SYN_response
1146059132.947408 weird: unsolicited_SYN_response
1146059132.949907 weird: unsolicited_SYN_response
out of scope (mail) : 142.92.39.44 ?b ?>? 142.92.39.129/ssh ?b 0.0s
1146059132.952414 weird: unsolicited_SYN_response
1146059132.963438 weird: unsolicited_SYN_response
1146059132.966381 weird: unsolicited_SYN_response
1146059133.277703 weird: connection_originator_SYN_ack
1146059133.313146 weird: data_before_established
1146059133.315934 weird: possible_split_routing

with bazillions of weird stderr output. How to eliminate the weird stuff?

TIA!

Can you double-check that weird.bro is loaded? Because when it is,
the weird messages are supposed to go into weird.log rather than to
stderr.

Robin