Created
August 8, 2017 17:37
-
-
Save mpurzynski/4b1deff53e826538d2d95698421ce52d to your computer and use it in GitHub Desktop.
filter_noise_conn.bro
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| module LogFilter; | |
| const ignore_ports_resp: set[port] = {53/udp, 53/tcp, 123/udp, 137/udp, 161/udp, 5355/udp} &redef; | |
| const ignore_services: set[string] = {"dns"} &redef; | |
| event bro_init() | |
| { | |
| Log::remove_default_filter(Conn::LOG); | |
| Log::add_filter(Conn::LOG, [$name = "conn-noise", | |
| $pred(rec: Conn::Info) = { | |
| local result = T; | |
| if (/^RSTO|^S0$|^SH$|^SHR$/ in rec$conn_state) { | |
| # result = F; | |
| result = T; | |
| } else { | |
| if (rec$id$resp_p in ignore_ports_resp) | |
| result = F; | |
| } | |
| if (rec$service in ignore_services) { | |
| result = F; | |
| } | |
| if ((rec$id$orig_h in drop_ip_from_log) || (rec$id$resp_h in drop_ip_from_log)) | |
| result = F; | |
| return result; | |
| } | |
| ]); | |
| } | |
| # If you have enough CPU power and just want to send them to a separate file, use this. | |
| #event bro_init() | |
| #{ | |
| # Log::remove_default_filter(Conn::LOG); | |
| # Log::add_filter(Conn::LOG, [$name = "conn-noise", | |
| # $path_func(id: Log::ID, path: string, rec: Conn::Info) = { | |
| # | |
| # return (rec$id$resp_p in ignore_ports_resp) ? "conn-noise" : "conn"; | |
| # }]); | |
| #} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment