I'm trying to configure bro to work within some proposed privacy
policies. For example, one of the things we may not be allowed to store
is the http traffic logs. I want bro to still know (internally) what is
happening in these streams so that it can use it for other functions
(like sqli detection which loads http), just not output the normal logs.
I had thought to do this through Notice::ignored_types
in local.bro, however the following is still outputting the http.log file.
redef Notice::ignored_types += {
SSL::Invalid_Server_Cert,
HTTP::LOG,
};
Additionally, I suspect that while this method (if I get it to work) may
result in sqli notices, I am not sure it will result in me getting the
attack data. For example, if a sqli attack is detected, I would like the
http.log style string to be output to a file.
Any suggestions on how first to prevent the http.log file creation and
then make sure the offending traffic is recorded for detect-sqli.bro?
Yours,
John