Notice suppression in beta

Lou_RUPPERT · November 7, 2013, 6:10pm

Hey,

I'm still having trouble suppressing SSL notices in 2.2. I have this
code, which should work:

- --- snip ---
const safe_vendor_netblocks = { 192.168.0.0/16, 10.0.0.0/8, };

function suppress_ssl_notice(n: Notice::Info): bool
{
    # Vendors
    if (n$dst in safe_vendor_netblocks)
        return T;

return F;
}

hook Notice::policy(n: Notice::Info) &priority=5
{
if ( n$note == SSL::Invalid_Server_Cert && suppress_ssl_notice(n) )
break;
}

- --- snip ---

But still I see notices coming through with IPs in the netblocks
listed and with a note for SSL::Invalid_Server_Cert. Shouldn't a break
issued from a hook with a greater priority than the default process
prevent the notice from being logged?

- --
I prefer encrypted email. Get my key here:
http://www.louruppert.com/keys/115DCF62.asc
PGP Fingerprint: 3261 B9F9 9363 D512 56F8 12DD 127F 4D6A 115D CF62

Siwek_Jon · November 7, 2013, 8:34pm

There’s a priority 10 notice policy hook that configures some actions to take depending on the value of n$note, and by default it adds the logging action (to be performed later).

So either “break”ing from a hook with priority greater than 10 or “delete n$actions[Notice::ACTION_LOG]” from one with lower priority should prevent a notice from being logged. The former would also prevent any email/alarm actions associated with the notice type.

- Jon

Topic		Replies	Views
Suppress_for issues Zeek	5	118	May 6, 2022
Recommendations on SSL events in notice.log Zeek	1	97	May 6, 2022
Filtering PacketFilter::Dropped_Packets Zeek	11	92	May 6, 2022
Disable some type of "alerts" for internal servers Zeek	4	51	May 6, 2022
Email Notice Suppression Zeek	2	64	May 6, 2022

Notice suppression in beta

Related topics