My http ext outbound logfile is getting a little to large to work
with and contains information about downloaded jpg's, gif's, etc.
which i am not interested in anyway.
How can i filter out those url's so they don't end up into this
logfile, or if that's complicated, how can i limit logging into
this file to only contain "application/x-dosexec" downloads?
You have two choices, you can handle the http_ext event yourself and do logging however you want (check out logging.http-ext.bro for an example), or you can do the following after you load the logging.http-ext.bro script.
redef HTTP::logging = None; # Other options are Inbound, Outbound, and the default All
It still logs requests matching file types you want logged because the http-ext-identified-files.bro script forces identified files to be logged. All of the options for HTTP logging through the http-ext.bro script are documented at the top of the logging.http-ext.bro script. Options for identifying files you want to log can be found at the top of the http-ext-identified-files.bro script.
I hadn't considered doing a negative filter for logs, but that is certainly something I could add to my logging framework. My initial thought is that it would just be a regular expression for matching the full log line and if the regex matches the line, it wouldn't be logged.
Sorry about that, I can't even configure my own script correctly.
redef HTTP::logging=Neither;
Then check for your requests in your http-ext-identified-files-outbound.log. When you disable logging for the main http-ext file, it only disables it for that file, but the tagged files (with "identified-files" added) are still logged.