Not recording SOME dns lookups...

Hi all,

I’ve got a site that i’m running BRO on that is generating TONS of DNS events. About 50% of all log file bytes are DNS related. And most of it is repeated lookup of a single a single domain name.

Is there any way (maybe using restrict_filters, maybe something else) to NOT log these DNS events for this specific hostname? I’ve done some poking around on google, but nothing’s jumping out at me.


Log filtering is what you want. The examples on come close, specifically example 3. to fully filter the queries instead of just splitting them off, you’d use something like

global ignore_queries: set[string] =  { "[](", "[]("};

function ignore_some_queries(rec: DNS::Info): bool
		return  T;
	return (rec$query !in ignore_queries);

event bro_init()
		Log::add_filter(DNS::LOG, [
			$name = "dns_filtered",
			$pred = ignore_some_queries