Exclude S0 connections from conn.log?

Zeek
1

All,

I’ve been looking at cutting down the size of my logs and after some great advice on this list one of the things that seems to help is to exclude S0 connections from conn.log

I’ve been looking at doing this but sadly I’m still too much of a beginner to get this to work so I was hoping that someone out there can give me some guidance?

Basically what I’d like to achieve is for the script to not log any events with a conn_state of S0 if the originating node is not in my local networks.

If someone could give me some guidance on how to achieve this I’d be forever grateful.

Thanks in advance, Mike

2

Hi Mike,

Basically what I'd like to achieve is for the script to not log any events
with a conn_state of S0 if the originating node is not in my local
networks.

If someone could give me some guidance on how to achieve this I'd be
forever grateful.

you can use a filter (e.g., change the default one):
https://www.bro.org/sphinx/frameworks/logging.html#filter-log-records

There is also a blog post
(http://blog.bro.org/2012/02/filtering-logs-with-bro.html) with a couple
of examples as well as scripts available on github (e.g.,
https://github.com/michalpurzynski/bro-gramming/blob/master/filter_noise_conn.bro).

Jan

3

All,

With the pointers from Jan, and some earlier replies to an earlier question, I’ve managed to cobble together the following:

← Cut →

module LogFilter;

event bro_init()
{
Log::remove_default_filter(Conn::LOG);
Log::add_filter(Conn::LOG, [$name = “conn-filter-external-S0”,
$pred(rec: Conn::Info) = {
local result = T;
if ((/^S0$/ in rec$conn_state) && (!Site::is_local_addr(rec$id$orig_h)))
result = F;
return result;
}
]);
}

← Cut →

It seems to be working as expected so I thought I’d post it here. For two reasons :wink:

  1. It could help someone else in the same predicament.
  2. There could be a better way of doing it - or even a correct one :wink: - and someone might spot my mistake(s).

Cheers, Mike