Need to find a way to filter all traffic from a particular user-agent so that it does not get logged.
Been reading docs and reviewing .bro files, but still kind of stumped. Any help is greatly appreciated.
TIA
I recently implemented a filter to prevent URLs matching a particular regex from getting logged. You could adapt this to your User-Agent condition fairly easily:
##! This script ignores particular events that we don’t want winding up in the
##! Bro logs.
##!
##! Useful docs:
##! https://www.bro.org/development/projects/logging-api.html
##! https://www.bro.org/sphinx-git/frameworks/logging.html#filter-log-records
@load base/protocols/http
Filter unwanted HTTP events, like the /app_info/status requests.
function http_not_ignored(rec: HTTP::Info) : bool
{
if (rec?$uri && /app_info/ in rec$uri) {
return F;
}
return T;
}
event bro_init()
{
First remove the default filter for HTTP logs.
Log::remove_default_filter(HTTP::LOG);
Add an HTTP filter back in to log only the events we want.
Log::add_filter(HTTP::LOG, [$name = “http-not-ignored”,
$path = “http”,
$pred = http_not_ignored]);
}
Cheers,
Brandon
In addition to Brandon's suggestion and code snippet (which is totally the right way to do it!), I'll point you to a blog post I wrote years ago about log filtering that might help you get a broader perspective on how Bro does log filtering.
.Seth
I should actually include the link... 
http://blog.bro.org/2012/02/filtering-logs-with-bro.html
.Seth
thanks, that’s exactly what I needed to quiet that log down - sharing my snippet in case it’s helpful to anyone else:
Filter unwanted HTTP events; Sophos SXL requests.
function http_not_ignored(rec: HTTP::Info) : bool
{
if (rec?$user_agent && “SXL/3.1” in rec$user_agent) {
return F;
}
return T;
}
event bro_init()
{
First remove the default filter for HTTP logs.
Log::remove_default_filter(HTTP::LOG);
Add an HTTP filter back in to log only the events we want.
Log::add_filter(HTTP::LOG, [$name = “http-not-ignored”,
$path = “http”,
$pred = http_not_ignored]);
}