Is it possible to split the Weird.log?

Hi everyone,

I have been investigating this matter with no succes, and i ´ve decided to send this mail in hopes of some of you could help me.

In 2 of my zeeks I have a lot of entries in the Weird.log about “bad_HTTP_request”, this generates a lot of traffic that I want to split from the other Weird events before forwarding the events.

Is it possible to send this “bad_HTTP_request” to another custom log like “bad_request.log”?

If not possible the first option, is it possible to stop generating this events?

Thank you all.

Regards.

Hi Jorge,

You’re in luck. Log Filters allow you to do just that. With filters you have two primary tools at your disposal:

$pred - filter out events before they are written to the log (https://docs.zeek.org/en/stable/frameworks/logging.html#filter-log-records)
$path_func - determine which log file each event should be written to (https://docs.zeek.org/en/stable/frameworks/logging.html#determine-log-path-dynamically)

Those links have some concise examples of how to use each and info about working with filters in general. There is also a blog from ’12 that has some good examples https://blog.zeek.org/2012/02/filtering-logs-with-bro.html. It's from the bro days but the concepts are still relevant.

Adam

ap was spot on with the log filters, so I have nothing to add there. I am wondering about what those weirds are about though. If you do some reporting on the logs, is it by any chance all coming from the same client or server or port? It might be something that can be fixed to not generate these weirds in the first place.