filtering types from http-ext-outbound.log

My http ext outbound logfile is getting a little to large to work
with and contains information about downloaded jpg's, gif's, etc.
which i am not interested in anyway.

How can i filter out those url's so they don't end up into this
logfile, or if that's complicated, how can i limit logging into
this file to only contain "application/x-dosexec" downloads?

thanks in advance,
Ewald...

You have two choices, you can handle the http_ext event yourself and do logging however you want (check out logging.http-ext.bro for an example), or you can do the following after you load the logging.http-ext.bro script.

redef HTTP::logging = None; # Other options are Inbound, Outbound, and the default All

It still logs requests matching file types you want logged because the http-ext-identified-files.bro script forces identified files to be logged. All of the options for HTTP logging through the http-ext.bro script are documented at the top of the logging.http-ext.bro script. Options for identifying files you want to log can be found at the top of the http-ext-identified-files.bro script.

I hadn't considered doing a negative filter for logs, but that is certainly something I could add to my logging framework. My initial thought is that it would just be a regular expression for matching the full log line and if the regex matches the line, it wouldn't be logged.

  .Seth

Hi Seth,

Thanks for the quick reply.

If i use the redef in my local.bro config:

@load all-ext.bro
redef HTTP::logging = None;

http-ext-outbound.log stays empty, even when i download some executables
myself.

Next i removed the redef from my local.bro config
and tried to change ignored_urls from the file
http-ext-identified-files.bro

from:

const ignored_urls = /^http:\/\/(au\.|www\.)?download\.windowsupdate\.com\/msdownload\/update/ &redef;

in:

const ignored_urls = /^http:\/\/.*\.(jpg|png|html|gif|htm)$/ &redef;

But that doesn't stop those from being logged :frowning:

thanks in advance,

Ewald...

Sorry about that, I can't even configure my own script correctly. :slight_smile:

redef HTTP::logging=Neither;

Then check for your requests in your http-ext-identified-files-outbound.log. When you disable logging for the main http-ext file, it only disables it for that file, but the tagged files (with "identified-files" added) are still logged.

  .Seth