Question: using Log Filter Framework

James_Dickenson · August 29, 2017, 5:54pm

Hey All,

Hey I've been trying to use the log filter framework to filter out
various things like certain IP ranges and other records. Here is my
attempt but Bro is complaining about line 8 saying my syntax isn't
correct. Does anyone know what I'm doing wrong? I've been using
Seth's blog post on the framework as an example of how to build the
log filters. --->
http://blog.bro.org/2012/02/filtering-logs-with-bro.html

Thanks in advance!

-James D.

###### code #######

global filter_ip_set: subnet = 1.0.0.0/8 &redef;

event bro_init()
        {
        Log::remove_default_filter(HTTP::LOG);
        Log::add_filter(HTTP::LOG, [$name="orig_h_filter",
                                    $pred(rec: HTTP::Info) = {
                                    rec$id$orig_h in $filter_ip_set;
                                    } ]);
        Log::add_filter(HTTP::LOG, [$name="resp_h_filter",
                                    $pred(rec: HTTP::Info) = {
                                    rec$id$resp_h in $filter_ip_set;
                                    } ]);
        }

Azoff_Justin_S · August 29, 2017, 6:14pm

That just has 2 small issues:

$filter_ip_set should be filter_ip_set and the pred function needs to return a boolean, so:

       Log::add_filter(HTTP::LOG, [$name="orig_h_filter",
                                   $pred(rec: HTTP::Info) = {
                                   return rec$id$orig_h in filter_ip_set;
                                   } ]);

Personally I'd format that sort of thing like

    Log::add_filter(HTTP::LOG, [
        $name="orig_h_filter",
        $pred(rec: HTTP::Info) = {
            return rec$id$orig_h in filter_ip_set;
        }
    ]);

Also, not sure if that is just an example, but you'd probably want something like

    Log::add_filter(HTTP::LOG, [
        $name="host_filter",
        $pred(rec: HTTP::Info) = {
            return rec$id$orig_h in filter_ip_set || rec$id$resp_h in filter_ip_set;
        }
    ]);

Finally.. if you are doing more complicated things in the pred function splitting the statement up can help readability.

function interesting_connections(rec: HTTP::Info): bool
{
return rec$id$orig_h in filter_ip_set || rec$id$resp_h in filter_ip_set;
}

event bro_init()
{
local filter: Log::Filter = [$name="host_filter", $pred=interesting_connections];
Log::add_filter(HTTP::LOG, filter);
}

James_Dickenson · August 29, 2017, 8:31pm

Thanks Justin!

That did the trick, now I can start getting myself into deeper trouble!

-James

Topic		Replies	Views
Logging filter for Bro Zeek	3	71	May 6, 2022
Write logs Zeek	2	67	May 6, 2022
Log::add_filter with mime_type or filename predicate Zeek	7	94	May 6, 2022
Not recording SOME dns lookups... Zeek	2	111	May 6, 2022
Is it possible to split the Weird.log? Zeek	3	90	May 6, 2022

Question: using Log Filter Framework

Related Topics