Hi,
Recently I install bro ids instance on my network.
I want to filter out all internal dns messages from dns.log.
I need an explanation how i configure this and where.
Thanks,
CM.
I personally used a bro script much like example 3 in this link: http://blog.bro.org/2012/02/filtering-logs-with-bro.html
You define what are “local” zones to and then splits the dns.log into dns_localzone.log (your items) and dns_remotezone.log (anything not defined). You can then process/query the remotezone log as you would with a dns.log and discard the localzone log if you wish. I would encourage you to keep that localzone log though, it’s a great resource.
Brad Miller