Filtering PacketFilter::Dropped_Packets

Martin_Holste · April 17, 2012, 12:18am

I've got this: Log::disable_stream(PacketFilter::LOG);

But I'm still getting a ton of "PacketFilter::Dropped_Packets" to notice.log.

What do I need to do to disable these messages?

Seth_Hall3 · April 17, 2012, 11:34am

Notice processing docs:
http://www.bro-ids.org/documentation/notice.html

You can use the notice ignore shortcut because you want to completely ignore a notice type:
http://www.bro-ids.org/documentation/notice.html#id7

redef Notice::ignored_types += { PacketFilter::Dropped_Packets };

.Seth

Will · April 17, 2012, 12:51pm

But I'm still getting a ton of "PacketFilter::Dropped_Packets" to notice.log.
What do I need to do to disable these messages?

Notice processing docs:
http://www.bro-ids.org/documentation/notice.html

You can use the notice ignore shortcut because you want to completely ignore a notice type:
http://www.bro-ids.org/documentation/notice.html#id7

redef Notice::ignored_types += { PacketFilter::Dropped_Packets };

That didn't appear to completely work for me as the default action
still seemed to be applied.

I changed it to this:
redef Notice::policy += { [$pred(n: Notice::Info) = {return n$note ==
PacketFilter::Dropped_Packets; }, $action = Notice::ACTION_NONE, $halt
= T] };

Before adding '$halt=T', the action in the log listed both ACTION_NONE
and ACTION_LOG.

-will

Martin_Holste · April 17, 2012, 1:41pm

Looks like Will's method is working. Thanks much!

robin · April 17, 2012, 2:40pm

That are going through the notice framework and can be suppressed
there with something like this:

    redef Notice::ignored_types += {
        PacketFilter::Dropped_Packets
    };

Robin

robin · April 17, 2012, 3:02pm

That sounds like a bug then. Can you file a ticket please?

Robin

Will · April 17, 2012, 3:18pm

Sure thing.

-will

Seth_Hall3 · April 17, 2012, 4:05pm

Thanks, it definitely sounds like a bug.

.Seth

Seth_Hall3 · April 17, 2012, 4:19pm

Everything implemented internally should make this work. There is one thing I'm wondering though. In any of your scripts you're running locally, are you doing…

redef Notice::policy = { … };

Instead of…

redef Notice::policy += { … };

It's a small difference, but causes a big change because those shortcuts (like ignored_types) are basically just pre-implemented notice policy items which you are blowing away if you do full set assignment instead of adding items to the set. I'll start trying to think of way to make that more resilient to this too. This fragility is the one thing I don't like about those pre-implemented policy items.

.Seth

Martin_Holste · April 17, 2012, 5:53pm

Nope, not doing that.

Will · April 17, 2012, 9:33pm

Looks like Will's method is working. Thanks much!

Everything implemented internally should make this work. There is one thing I'm wondering though. In any of your scripts you're running locally, are you doing…

redef Notice::policy = { … };

Instead of…

redef Notice::policy += { … };

Yes, all my are just like the example above, "+=", so I assume I was
just appending another action to the table.

Maybe not a bug then?

If I do a full re-assignment "=" instead, I wouldn't have multiple
actions assigned to the notice?

Topic		Replies	Views
Take action on a notice? Zeek	3	66	May 6, 2022
Problem: Bro listening on two ethernet interfaces Zeek	2	100	May 6, 2022
Big Packet loss and PacketFilter::Dropped_Packets Zeek	2	107	May 6, 2022
Disabling DPD Zeek	2	75	May 6, 2022
changing log output Zeek	3	113	May 6, 2022

Filtering PacketFilter::Dropped_Packets

Related topics