Question: using Log Filter Framework

Zeek
1

Hey All,

Hey I've been trying to use the log filter framework to filter out
various things like certain IP ranges and other records. Here is my
attempt but Bro is complaining about line 8 saying my syntax isn't
correct. Does anyone know what I'm doing wrong? I've been using
Seth's blog post on the framework as an example of how to build the
log filters. --->
http://blog.bro.org/2012/02/filtering-logs-with-bro.html

Thanks in advance!

-James D.

###### code #######

global filter_ip_set: subnet = 1.0.0.0/8 &redef;

event bro_init()
        {
        Log::remove_default_filter(HTTP::LOG);
        Log::add_filter(HTTP::LOG, [$name="orig_h_filter",
                                    $pred(rec: HTTP::Info) = {
                                    rec$id$orig_h in $filter_ip_set;
                                    } ]);
        Log::add_filter(HTTP::LOG, [$name="resp_h_filter",
                                    $pred(rec: HTTP::Info) = {
                                    rec$id$resp_h in $filter_ip_set;
                                    } ]);
        }

2

That just has 2 small issues:

$filter_ip_set should be filter_ip_set and the pred function needs to return a boolean, so:

       Log::add_filter(HTTP::LOG, [$name="orig_h_filter",
                                   $pred(rec: HTTP::Info) = {
                                   return rec$id$orig_h in filter_ip_set;
                                   } ]);

Personally I'd format that sort of thing like

    Log::add_filter(HTTP::LOG, [
        $name="orig_h_filter",
        $pred(rec: HTTP::Info) = {
            return rec$id$orig_h in filter_ip_set;
        }
    ]);

Also, not sure if that is just an example, but you'd probably want something like

    Log::add_filter(HTTP::LOG, [
        $name="host_filter",
        $pred(rec: HTTP::Info) = {
            return rec$id$orig_h in filter_ip_set || rec$id$resp_h in filter_ip_set;
        }
    ]);

Finally.. if you are doing more complicated things in the pred function splitting the statement up can help readability.

function interesting_connections(rec: HTTP::Info): bool
{
    return rec$id$orig_h in filter_ip_set || rec$id$resp_h in filter_ip_set;
}

event bro_init()
{
    local filter: Log::Filter = [$name="host_filter", $pred=interesting_connections];
    Log::add_filter(HTTP::LOG, filter);
}

3

Thanks Justin!

That did the trick, now I can start getting myself into deeper trouble!

-James