My http ext outbound logfile is getting a little to large to work
with and contains information about downloaded jpg's, gif's, etc.
which i am not interested in anyway.
How can i filter out those url's so they don't end up into this
logfile, or if that's complicated, how can i limit logging into
this file to only contain "application/x-dosexec" downloads?
thanks in advance,
You have two choices, you can handle the http_ext event yourself and do logging however you want (check out logging.http-ext.bro for an example), or you can do the following after you load the logging.http-ext.bro script.
redef HTTP::logging = None; # Other options are Inbound, Outbound, and the default All
It still logs requests matching file types you want logged because the http-ext-identified-files.bro script forces identified files to be logged. All of the options for HTTP logging through the http-ext.bro script are documented at the top of the logging.http-ext.bro script. Options for identifying files you want to log can be found at the top of the http-ext-identified-files.bro script.
I hadn't considered doing a negative filter for logs, but that is certainly something I could add to my logging framework. My initial thought is that it would just be a regular expression for matching the full log line and if the regex matches the line, it wouldn't be logged.
Thanks for the quick reply.
If i use the redef in my local.bro config:
redef HTTP::logging = None;
http-ext-outbound.log stays empty, even when i download some executables
Next i removed the redef from my local.bro config
and tried to change ignored_urls from the file
const ignored_urls = /^http:\/\/(au\.|www\.)?download\.windowsupdate\.com\/msdownload\/update/ &redef;
const ignored_urls = /^http:\/\/.*\.(jpg|png|html|gif|htm)$/ &redef;
But that doesn't stop those from being logged
thanks in advance,
Sorry about that, I can't even configure my own script correctly.
Then check for your requests in your http-ext-identified-files-outbound.log. When you disable logging for the main http-ext file, it only disables it for that file, but the tagged files (with "identified-files" added) are still logged.