ignoring all weird?

Is there a convenient way that I can suppress all weird messages that
would otherwise bubble up to the weird log?

I've done this

redef notice_action_filters += {
        [[Weird::WeirdActivity,
          Weird::ContentGap,
          Weird::RetransmissionInconsistency,
          Weird::AckAboveHole]] = ignore_notice
};

But I still get some weird messages that I need to suppress like this

redef Weird::weird_action: table[string] of Weird::WeirdAction += {
        [["above_hole_data_without_any_acks",
          "bad_TCP_checksum",
          "unmatched_HTTP_reply",
          "connection_originator_SYN_ack",
          "window_recision",
          "unescaped_special_URI_char",
          "bad_UDP_checksum",
          "data_before_established",
          "inflate_failed",
          "line_terminated_with_single_CR"
        ]] = Weird::WEIRD_IGNORE
};

Ideas?

Thanks,
-Tim

try something like this:

redef suppress_notice_actions += {
    Weird::ContentGap,
    Weird::AckAboveHole,
    Weird::WeirdActivity,
};

I was hoping it'd be that easy, but now the weird messages (content gap,
ack above a hole, etc) are going to stdout as well as the weird log.

Ideas?

Thanks,
-Tim

I don't think we currently have a way to generally suppress all
weird messages, just individually per your earlier mail. It is
however posssible to remove them from notice.log by mapping
corresponding notice types to NOTICE_IGNORE.

Justin's solution is almost doing that but it just suppresses the
notice_action_event, not the actual reporting (that event is used
mostly internally). Use either notice_policy or
notice_action_filters instead.

Robin

One of my co-workers pointed out that, while it may be a poor
workaround, I can kinda get the functionality I was looking for by doing the

redef notice_action_filters += {
        [[Weird::WeirdActivity,
          Weird::ContentGap,
          Weird::RetransmissionInconsistency,
          Weird::AckAboveHole]] = ignore_notice
};

and then redef'ing the weird file to /dev/null

redef Weird::weird_file = open_log_file("/dev/null");

Weird messages go away, but I wonder if this would cause chaos with many
bros trying to open /dev/null concurrently to write the weird log.

Maybe I'll just rotate my weird log more frequently.

Thanks for the pointers!

-Tim

Interesting idea. :slight_smile: Should work, except that I don't dare to
predict what the log rotation code does with that ...

Robin

redef Weird::weird_file = open_log_file("/dev/null");

FYI, I believe Seth Hall sometimes gets the same effect by closing the
file. I'm not sure how that will interact with log rotation either.

    Vern

Yep. It doesn't seem to have any noticeable effect. close-ing the file handle also seems to unhook the print_hook so that remote printing is disabled as well. Setting the file to /dev/null would leave remote printing enabled which could cause extra communication between hosts in multihost setups (cluster).

   .Seth

I just tried this from the userspace:

    error: cannot open /dev/null.log: Permission denied

The function open_log_file apparently adds a *.log suffix before opening
the file. Assuming that you tried this as root, you probably won't have
gotten an error message. Could you double-check that no /dev/null.log
exist?

   Matthias

The function open_log_file apparently adds a *.log suffix before opening

Yep, or more generally, $BRO_LOG_SUFFIX. You can use open() directly
to avoid this.

    Vern