Hi is there a way to exclude only application/pkix-cert from files.log ?
Thanks in advanced
Hi is there a way to exclude only application/pkix-cert from files.log ?
Thanks in advanced
You may find these walkthroughs helpful.
https://blog.zeek.org/2012/02/filtering-logs-with-bro.html
https://www.zeek.org/manual/release/frameworks/file-analysis.html#file-lifecycle-events
-AK
This is what I do. It allowed me to cut the number of files events by
like 70% and the total SIEM intake by a whooping 30%
You most definitely want to filter those out. Be aware there are some
drawbacks, though, like you just lost the trivial ability to correlate
x509-files-ssl but you combat that by correlating the "id" field from
the x509 log with the cert_chain_fuids field from the ssl.log
module LogFilter;
event bro_init()
{
Log::remove_default_filter(Files::LOG);
Log::add_filter(Files::LOG, [$name = "files-noise",
$pred(rec: Files::Info) = {
for (tx_host in rec$tx_hosts) {
if ((rec?$mime_type)
&& ((rec$mime_type == "application/pkix-cert") || (rec$mime_type ==
"application/x-x509-ca-cert") || (rec$mime_type ==
"application/x-x509-user-cert") ))
return F;
return T;
}
return T;
}
]);
}