files.log

Alex_Kefallonitis · December 21, 2018, 12:04pm

Hi is there a way to exclude only application/pkix-cert from files.log ?

Thanks in advanced

anthony_kasza1 · December 22, 2018, 6:10pm

You may find these walkthroughs helpful.

https://blog.zeek.org/2012/02/filtering-logs-with-bro.html
https://www.zeek.org/manual/release/frameworks/file-analysis.html#file-lifecycle-events

-AK

Michal_Purzynski1 · December 23, 2018, 12:03am

This is what I do. It allowed me to cut the number of files events by
like 70% and the total SIEM intake by a whooping 30%

You most definitely want to filter those out. Be aware there are some
drawbacks, though, like you just lost the trivial ability to correlate
x509-files-ssl but you combat that by correlating the "id" field from
the x509 log with the cert_chain_fuids field from the ssl.log

module LogFilter;

event bro_init()

{

Log::remove_default_filter(Files::LOG);

Log::add_filter(Files::LOG, [$name = "files-noise",

$pred(rec: Files::Info) = {

for (tx_host in rec$tx_hosts) {

if ((rec?$mime_type)
&& ((rec$mime_type == "application/pkix-cert") || (rec$mime_type ==
"application/x-x509-ca-cert") || (rec$mime_type ==
"application/x-x509-user-cert") ))

return F;

return T;

}

return T;

}

]);

}

Topic		Replies	Views
Certificate extraction issue Zeek	2	108	May 6, 2022
Trying to get a simple detection on certificate hashes to fire Zeek	3	70	May 6, 2022
Does x509.log contain the raw certificate? Zeek	3	83	May 6, 2022
filtering out unwanted domains from bro dns.log Zeek	2	273	May 6, 2022
File events question Zeek	3	138	May 6, 2022

files.log

Related Topics