ignoring ContentGap and friends

Zeek
1

Hi.

New to bro so this is probably a dumb question.

I’m following the instructions here (http://www.bro-ids.org/wiki/index.php/User_Manual:_Customizing_Bro) on how to squelch the ContentGap and various other messages. Here’s my config file:

@load bittorrent
@load bt-tracker

redef notice_action_filters += {
WeirdActivity, ContentGap = ignore_notice,
};

When I run this, I get:

Line 6: error: unknown identifier WeirdActivity, at or near “WeirdActivity”

I couldn’t figure out if these have been renamed or what?

Thanks for the help…

0100

2

Hi,
maybe add `Weird::`, example:
  Weird::WeirdActivity, Weird::ContentGap = ignore_notice,
Regards
Rmkml
Crusoe-Researches.com

3

You're likely using a newer version than this was written for (as it
seems you already guessed). The variables from weird.bro are now in
a namespace Weird so you should write Weird::WeirdActivity etc. (and
also @load weird).

Robin

4

Thanks all.

So the good news is that it seems to have found the referenced variables, but they are creating a type error in the notice_action_filters table:

notice.bro, line 6 and /usr/local/bro/policy/notice.bro, lines 74-75
(enum and table[enum] of function(n:record { note:enum; msg:string; sub:string; conn:record { id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; orig:record { size:count; state:count; }; resp:record { size:count; state:count; }; start_time:time; duration:interval; service:set[string]; addl:string; hot:count; history:string; }; iconn:record { orig_h:addr; resp_h:addr; itype:count; icode:count; len:count; }; id:record { orig_h:addr; orig_p:port; resp_h:addr; resp_p:port; }; src:addr; dst:addr; p:port; user:string; filename:string; method:string; URL:string; n:count; src_peer:record { id:count; host:addr; p:port; is_local:bool; descr:string; class:string; }; tag:string; dropped:bool; captured:string; }; a:enum;) : enum): error, type clash in table initializer

Thoughts? Does this enum need to be updated somewhere?

0100

5

redef notice_action_filters += {
     WeirdActivity, ContentGap = ignore_notice,
};

Along with the scoping issues that others have discussed, there's
a syntax problem here (which explains your follow-on problem). The
above needs to be:

  redef notice_action_filters += {
    [[Weird::WeirdActivity, Weird::ContentGap]] = ignore_notice,
  };

- Vern

6

Thanks! That seems to work. I will request a wiki account and update the docs if that’s okay.

0100