forwarding Facebook inquiry

Hello Bro Community,

I’m forwarding along a Facebook post our page received:

Can some one help me how to split connection from internal and external in a separate log even i dont want the traffic from out side to the inside?

Find bellow the script im using: i have been looking for someone to help me for a month now its for educational purposes

Not 100% sure what the question is being asked, however I put together a simple script to log files based directionality:

https://github.com/criticalstack/bro-scripts/blob/master/files-log-by-direction/files-log-by-direction.bro

There are some subtleties here that may not be obvious:
– a file can have multiple transmitters or receivers; both tx_hosts and rx_hosts in the Files::Info record are a set [ADDR]
– files do not have to come from a connection

In my example I just use the first TX and RX for making a decision.

Thanks,

Liam Randall