Discussion:
[Bro] Disable Log Stream but not the analyzers
Alex Kefallonitis
2018-11-21 09:28:32 UTC
Permalink
I have disabled the Log Stream for HTTP :

event bro_init()
{
Log::disable_stream(HTTP::LOG);
}

But i want scripts using HTTP protocol to work e.g
https://raw.githubusercontent.com/sethhall/bro-scripts/master/top-websites.bro

Is there any other way to do it ?
Azoff, Justin S
2018-11-21 21:03:23 UTC
Permalink
Hi,


Using


Log::remove_default_filter(HTTP::LOG);

instead of disable_stream should do what you want.

________________________________
From: bro-***@bro.org <bro-***@bro.org> on behalf of Alex Kefallonitis <***@gmail.com>
Sent: Wednesday, November 21, 2018 4:28:32 AM
To: ***@bro.org
Subject: [Bro] Disable Log Stream but not the analyzers

I have disabled the Log Stream for HTTP :

event bro_init()
{
Log::disable_stream(HTTP::LOG);
}

But i want scripts using HTTP protocol to work e.g https://raw.githubusercontent.com/sethhall/bro-scripts/master/top-websites.bro<https://urldefense.proofpoint.com/v2/url?u=https-3A__raw.githubusercontent.com_sethhall_bro-2Dscripts_master_top-2Dwebsites.bro&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=Upw7RnEppKcwibJKc4KDIUBeI-V2RkeYtIWL5FNnXH0&s=CC6T1M5j865G11CwDqWWObidSeRZpMkhelQhnJtSHXw&e=>

Is there any other way to do it ?
Alex Kefallonitis
2018-11-22 08:39:37 UTC
Permalink
Hi i did change it but no logs regarding http are produced like
https://raw.githubusercontent.com/sethhall/bro-scripts/master/top-websites.bro
or
https://github.com/BrashEndeavours/bro-scripts/blob/master/http_entropy.bro
.


[image: image.png]

[image: image.png]

Στις ΀ετ, 21 Νοε 2018 στις 11:03 ÎŒ.ÎŒ., ο/η Azoff, Justin S <
***@illinois.edu> έγραψε:

> Hi,
>
>
> Using
>
>
> Log::remove_default_filter(HTTP::LOG);
>
> instead of disable_stream should do what you want.
>
> ------------------------------
> *From:* bro-***@bro.org <bro-***@bro.org> on behalf of Alex
> Kefallonitis <***@gmail.com>
> *Sent:* Wednesday, November 21, 2018 4:28:32 AM
> *To:* ***@bro.org
> *Subject:* [Bro] Disable Log Stream but not the analyzers
>
> I have disabled the Log Stream for HTTP :
>
> event bro_init()
> {
> Log::disable_stream(HTTP::LOG);
> }
>
> But i want scripts using HTTP protocol to work e.g
> https://raw.githubusercontent.com/sethhall/bro-scripts/master/top-websites.bro
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__raw.githubusercontent.com_sethhall_bro-2Dscripts_master_top-2Dwebsites.bro&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=Upw7RnEppKcwibJKc4KDIUBeI-V2RkeYtIWL5FNnXH0&s=CC6T1M5j865G11CwDqWWObidSeRZpMkhelQhnJtSHXw&e=>
>
> Is there any other way to do it ?
>
Michał Purzyński
2018-11-22 08:58:06 UTC
Permalink
Indeed, scripts you’re showing depend on the log streams you just disabled.

> On Nov 22, 2018, at 12:39 AM, Alex Kefallonitis <***@gmail.com> wrote:
>
>
> Hi i did change it but no logs regarding http are produced like https://raw.githubusercontent.com/sethhall/bro-scripts/master/top-websites.bro or https://github.com/BrashEndeavours/bro-scripts/blob/master/http_entropy.bro .
>
>
> <image.png>
>
> <image.png>
>
> Στις ΀ετ, 21 Νοε 2018 στις 11:03 ÎŒ.ÎŒ., ο/η Azoff, Justin S <***@illinois.edu> έγραψε:
>> Hi,
>>
>> Using
>>
>> Log::remove_default_filter(HTTP::LOG);
>>
>> instead of disable_stream should do what you want.
>> From: bro-***@bro.org <bro-***@bro.org> on behalf of Alex Kefallonitis <***@gmail.com>
>> Sent: Wednesday, November 21, 2018 4:28:32 AM
>> To: ***@bro.org
>> Subject: [Bro] Disable Log Stream but not the analyzers
>>
>> I have disabled the Log Stream for HTTP :
>>
>> event bro_init()
>> {
>> Log::disable_stream(HTTP::LOG);
>> }
>>
>> But i want scripts using HTTP protocol to work e.g https://raw.githubusercontent.com/sethhall/bro-scripts/master/top-websites.bro
>>
>> Is there any other way to do it ?
> _______________________________________________
> Bro mailing list
> ***@bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
Alex Kefallonitis
2018-11-22 10:05:48 UTC
Permalink
So there is no way to disable specific logs but still use the analyzers in
the script ? The scripts are reading the actual logs and needed from them
to work ?

Στις ΠέΌ, 22 Νοε 2018 στις 10:58 π.ÎŒ., ο/η Michał Purzyński <
***@gmail.com> έγραψε:

> Indeed, scripts you’re showing depend on the log streams you just disabled.
>
> On Nov 22, 2018, at 12:39 AM, Alex Kefallonitis <***@gmail.com>
> wrote:
>
>
> Hi i did change it but no logs regarding http are produced like
> https://raw.githubusercontent.com/sethhall/bro-scripts/master/top-websites.bro
> or
> https://github.com/BrashEndeavours/bro-scripts/blob/master/http_entropy.bro
> .
>
>
> <image.png>
>
> <image.png>
>
> Στις ΀ετ, 21 Νοε 2018 στις 11:03 ÎŒ.ÎŒ., ο/η Azoff, Justin S <
> ***@illinois.edu> έγραψε:
>
>> Hi,
>>
>>
>> Using
>>
>>
>> Log::remove_default_filter(HTTP::LOG);
>>
>> instead of disable_stream should do what you want.
>>
>> ------------------------------
>> *From:* bro-***@bro.org <bro-***@bro.org> on behalf of Alex
>> Kefallonitis <***@gmail.com>
>> *Sent:* Wednesday, November 21, 2018 4:28:32 AM
>> *To:* ***@bro.org
>> *Subject:* [Bro] Disable Log Stream but not the analyzers
>>
>> I have disabled the Log Stream for HTTP :
>>
>> event bro_init()
>> {
>> Log::disable_stream(HTTP::LOG);
>> }
>>
>> But i want scripts using HTTP protocol to work e.g
>> https://raw.githubusercontent.com/sethhall/bro-scripts/master/top-websites.bro
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__raw.githubusercontent.com_sethhall_bro-2Dscripts_master_top-2Dwebsites.bro&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=Upw7RnEppKcwibJKc4KDIUBeI-V2RkeYtIWL5FNnXH0&s=CC6T1M5j865G11CwDqWWObidSeRZpMkhelQhnJtSHXw&e=>
>>
>> Is there any other way to do it ?
>>
> _______________________________________________
> Bro mailing list
> ***@bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
Azoff, Justin S
2018-11-23 16:47:03 UTC
Permalink
Read my response again...

Using Log::remove_default_filter does what you want. You used remove_stream which is something different.

________________________________
From: Alex Kefallonitis <***@gmail.com>
Sent: Thursday, November 22, 2018 5:05:48 AM
To: ***@gmail.com
Cc: Azoff, Justin S; ***@bro.org
Subject: Re: [Bro] Disable Log Stream but not the analyzers

So there is no way to disable specific logs but still use the analyzers in the script ? The scripts are reading the actual logs and needed from them to work ?

Στις ΠέΌ, 22 Νοε 2018 στις 10:58 π.ÎŒ., ο/η Michał Purzyński <***@gmail.com<mailto:***@gmail.com>> έγραψε:
Indeed, scripts you’re showing depend on the log streams you just disabled.

On Nov 22, 2018, at 12:39 AM, Alex Kefallonitis <***@gmail.com<mailto:***@gmail.com>> wrote:


Hi i did change it but no logs regarding http are produced like https://raw.githubusercontent.com/sethhall/bro-scripts/master/top-websites.bro or https://github.com/BrashEndeavours/bro-scripts/blob/master/http_entropy.bro .


<image.png>

<image.png>

Στις ΀ετ, 21 Νοε 2018 στις 11:03 ÎŒ.ÎŒ., ο/η Azoff, Justin S <***@illinois.edu<mailto:***@illinois.edu>> έγραψε:

Hi,


Using


Log::remove_default_filter(HTTP::LOG);

instead of disable_stream should do what you want.

________________________________
From: bro-***@bro.org<mailto:bro-***@bro.org> <bro-***@bro.org<mailto:bro-***@bro.org>> on behalf of Alex Kefallonitis <***@gmail.com<mailto:***@gmail.com>>
Sent: Wednesday, November 21, 2018 4:28:32 AM
To: ***@bro.org<mailto:***@bro.org>
Subject: [Bro] Disable Log Stream but not the analyzers

I have disabled the Log Stream for HTTP :

event bro_init()
{
Log::disable_stream(HTTP::LOG);
}

But i want scripts using HTTP protocol to work e.g https://raw.githubusercontent.com/sethhall/bro-scripts/master/top-websites.bro<https://urldefense.proofpoint.com/v2/url?u=https-3A__raw.githubusercontent.com_sethhall_bro-2Dscripts_master_top-2Dwebsites.bro&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=Upw7RnEppKcwibJKc4KDIUBeI-V2RkeYtIWL5FNnXH0&s=CC6T1M5j865G11CwDqWWObidSeRZpMkhelQhnJtSHXw&e=>

Is there any other way to do it ?
_______________________________________________
Bro mailing list
***@bro-ids.org<mailto:***@bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
Alex Kefallonitis
2018-11-24 08:19:52 UTC
Permalink
Yes you are correct it works ! Thanks a lot



On Fri, 23 Nov 2018, 18:47 Azoff, Justin S <***@illinois.edu wrote:

> Read my response again...
>
> Using Log::remove_default_filter does what you want. You used
> remove_stream which is something different.
> ------------------------------
> *From:* Alex Kefallonitis <***@gmail.com>
> *Sent:* Thursday, November 22, 2018 5:05:48 AM
> *To:* ***@gmail.com
> *Cc:* Azoff, Justin S; ***@bro.org
> *Subject:* Re: [Bro] Disable Log Stream but not the analyzers
>
> So there is no way to disable specific logs but still use the analyzers in
> the script ? The scripts are reading the actual logs and needed from them
> to work ?
>
> Στις ΠέΌ, 22 Νοε 2018 στις 10:58 π.ÎŒ., ο/η Michał Purzyński <
> ***@gmail.com> έγραψε:
>
> Indeed, scripts you’re showing depend on the log streams you just disabled.
>
> On Nov 22, 2018, at 12:39 AM, Alex Kefallonitis <***@gmail.com>
> wrote:
>
>
> Hi i did change it but no logs regarding http are produced like
> https://raw.githubusercontent.com/sethhall/bro-scripts/master/top-websites.bro
> or
> https://github.com/BrashEndeavours/bro-scripts/blob/master/http_entropy.bro
> .
>
>
> <image.png>
>
> <image.png>
>
> Στις ΀ετ, 21 Νοε 2018 στις 11:03 ÎŒ.ÎŒ., ο/η Azoff, Justin S <
> ***@illinois.edu> έγραψε:
>
> Hi,
>
>
> Using
>
>
> Log::remove_default_filter(HTTP::LOG);
>
> instead of disable_stream should do what you want.
>
> ------------------------------
> *From:* bro-***@bro.org <bro-***@bro.org> on behalf of Alex
> Kefallonitis <***@gmail.com>
> *Sent:* Wednesday, November 21, 2018 4:28:32 AM
> *To:* ***@bro.org
> *Subject:* [Bro] Disable Log Stream but not the analyzers
>
> I have disabled the Log Stream for HTTP :
>
> event bro_init()
> {
> Log::disable_stream(HTTP::LOG);
> }
>
> But i want scripts using HTTP protocol to work e.g
> https://raw.githubusercontent.com/sethhall/bro-scripts/master/top-websites.bro
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__raw.githubusercontent.com_sethhall_bro-2Dscripts_master_top-2Dwebsites.bro&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=Upw7RnEppKcwibJKc4KDIUBeI-V2RkeYtIWL5FNnXH0&s=CC6T1M5j865G11CwDqWWObidSeRZpMkhelQhnJtSHXw&e=>
>
> Is there any other way to do it ?
>
> _______________________________________________
> Bro mailing list
> ***@bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
Loading...