Properly disabling certain rules

James_Lay · June 18, 2014, 2:09pm

Team,

So...after upgrading to Bro 2.3, syslog and ssl have returned, which I do not want to see. I commented them out in init-default.bro, which is not the right way to go I know. How can I disable these in my local.bro? Thank you.

James

James_Lay · June 18, 2014, 2:53pm

Heh...got it already:

event bro_init()
        {
        Log::disable_stream(Syslog::LOG);
        }

Thanks all.

James

Vlad_Grigorescu1 · June 18, 2014, 2:56pm

Hi James,

Just as a matter of terminology, these aren't rules, but analyzers.

Try something like this to your local.bro:

event bro_init() {
Analyzer::disable_analyzer(Analyzer::ANALYZER_SSL);
Analyzer::disable_analyzer(Analyzer::ANALYZER_SYSLOG);
}

--Vlad

James_Lay · June 18, 2014, 3:01pm

Thanks for the clarification Vlad...helps if I at least SOUND like I know what I'm talking about

James

Ward_Sladek · June 18, 2014, 3:23pm

I eliminate syslog via the following in my local.bro:

Disable Syslog

event bro_init()
{
Log::disable_stream(Syslog::LOG);
}

Not sure if that is the recommended way, but it works.

Topic		Replies	Views
Disable Base script Zeek	2	292	May 6, 2022
Hui Lin_Bro disable log stream is not working? Zeek	2	52	May 6, 2022
Disable Log Stream but not the analyzers Zeek	7	71	May 6, 2022
Hui Lin_How to disable some default log option Development development	3	67	May 6, 2022
Binpac exception Zeek	3	81	May 6, 2022

Properly disabling certain rules

Disable Syslog

Related Topics