Hi all,
I’ve got a site that i’m running BRO on that is generating TONS of DNS events. About 50% of all log file bytes are DNS related. And most of it is repeated lookup of a single a single domain name.
Is there any way (maybe using restrict_filters, maybe something else) to NOT log these DNS events for this specific hostname? I’ve done some poking around on google, but nothing’s jumping out at me.
Thanks,
jason
Log filtering is what you want. The examples on https://blog.zeek.org/2012/02/filtering-logs-with-bro.html come close, specifically example 3. to fully filter the queries instead of just splitting them off, you’d use something like
global ignore_queries: set[string] = { "[example.com](http://example.com)", "[example.org](http://example.org)"};
function ignore_some_queries(rec: DNS::Info): bool
{
if(!rec?$query)
return T;
return (rec$query !in ignore_queries);
}
event bro_init()
{
Log::remove_default_filter(DNS::LOG);
Log::add_filter(DNS::LOG, [
$name = "dns_filtered",
$pred = ignore_some_queries
]);
}