Notice suppression in beta

Lou_RUPPERT · November 7, 2013, 6:10pm

Hey,

I'm still having trouble suppressing SSL notices in 2.2. I have this
code, which should work:

- --- snip ---
const safe_vendor_netblocks = { 192.168.0.0/16, 10.0.0.0/8, };

function suppress_ssl_notice(n: Notice::Info): bool
{
    # Vendors
    if (n$dst in safe_vendor_netblocks)
        return T;

return F;
}

hook Notice::policy(n: Notice::Info) &priority=5
{
if ( n$note == SSL::Invalid_Server_Cert && suppress_ssl_notice(n) )
break;
}

- --- snip ---

But still I see notices coming through with IPs in the netblocks
listed and with a note for SSL::Invalid_Server_Cert. Shouldn't a break
issued from a hook with a greater priority than the default process
prevent the notice from being logged?

- --
I prefer encrypted email. Get my key here:
http://www.louruppert.com/keys/115DCF62.asc
PGP Fingerprint: 3261 B9F9 9363 D512 56F8 12DD 127F 4D6A 115D CF62

Siwek_Jon · November 7, 2013, 8:34pm

There’s a priority 10 notice policy hook that configures some actions to take depending on the value of n$note, and by default it adds the logging action (to be performed later).

So either “break”ing from a hook with priority greater than 10 or “delete n$actions[Notice::ACTION_LOG]” from one with lower priority should prevent a notice from being logged. The former would also prevent any email/alarm actions associated with the notice type.

- Jon

Topic		Replies	Views
Suppress_for issues Zeek	5	87	May 6, 2022
Recommendations on SSL events in notice.log Zeek	1	76	May 6, 2022
Notice and Sumstats and how to whitelist IPs Zeek	9	170	May 6, 2022
Invalid_Server_Cert entries in notice.log Zeek	2	61	May 6, 2022
Manager, Proxy and Worker all logging the same notice to notice.log Zeek	4	80	May 6, 2022

Notice suppression in beta

Related Topics