In trying to turn off stderr spraying to the screen I found something that doesn't seem to provide enough info - or maybe I'm having a senior moment?
I stumbled across this and couldn't figure out how to implement log_hook in my policy file:
<http://www.bro-ids.org/Bro-reference-manual/log-Analysis-Script.html#log-Analysis-Script >
Trying to find more info I notice it is referring to "bro_log_file" but this is not a reference I can find in the html online docs or in the online PDF.
Searching bro-ids.org with google finds one other mention:
<http://www.bro-ids.org/Bro-reference-manual/Uncategorized.html >
but does not help me understand the logging much better.
Is there a missing link to a "bro_log_file" reference on the site? Grep'ing in the policy dir didn't find any examples of "log_hook" to copy.
TIA
Forgot to add, log_hook reference at
<http://www.bro-ids.org/Bro-reference-manual/Predefined-Functions.html >
also seems to reference missing docs.
robin
April 28, 2006, 4:11pm
3
In trying to turn off stderr spraying to the screen I found something that
doesn't seem to provide enough info - or maybe I'm having a senior moment?
No, you don't. With Bro 0.9a7, there has been a change of names with
regards to "log", "alert", "alarm", etc. to make their uses more
consistent/intuitive (see the CHANGES entry for more information).
The docs haven't been updated yet.
The former "log_hook" is now called "alarm_hook". Here's an example:
function alarm_hook(msg: string): bool
{
print "Foo", msg;
return T;
}
alarm "Bar";
> ./bro ./a.bro
Foo, Bar
1146240414.805556 Bar
Robin
Thanks, Robin. Very helpful.
I've got something working but...
weird.bro gets @load 'ed and I end up with lots of weird messages sprayed to the screen.
How do I turn this off via alarm_hook?
My messages (print via alarm()) work fine but the weird stuff is still spraying. Probably a tidbit I'm missing?
Here's what I've got...ignore whether what is printed makes sense - just playing/learning the lingo.
function alarm_hook(msg: string): bool
{
print msg;
return F;
}
event connection_established(c: connection)
{
local id = c$id;
local service = id$resp_p;
local inbound = is_local_addr(id$resp_h);
if ( id$resp_h in mail_servers )
{
if ( inbound && [ id$resp_h, service ] !in allowed_mail_services )
{
alarm fmt("out of scope (mail) : %s", full_id_string(c));
}
}
}
The output looks kinda like:
1146059131.898819 weird: spontaneous_RST
1146059132.021314 weird: spontaneous_RST
1146059132.942845 weird: unsolicited_SYN_response
1146059132.945050 weird: unsolicited_SYN_response
1146059132.947408 weird: unsolicited_SYN_response
1146059132.949907 weird: unsolicited_SYN_response
out of scope (mail) : 142.92.39.44 ?b ?>? 142.92.39.129/ssh ?b 0.0s
1146059132.952414 weird: unsolicited_SYN_response
1146059132.963438 weird: unsolicited_SYN_response
1146059132.966381 weird: unsolicited_SYN_response
1146059133.277703 weird: connection_originator_SYN_ack
1146059133.313146 weird: data_before_established
1146059133.315934 weird: possible_split_routing
with bazillions of weird stderr output. How to eliminate the weird stuff?
TIA!
robin
April 29, 2006, 2:24am
5
Can you double-check that weird.bro is loaded? Because when it is,
the weird messages are supposed to go into weird.log rather than to
stderr.
Robin