[Bro] Disable Base script

Siwek, Jonathan Luke jsiwek at illinois.edu
Mon Jan 6 11:29:01 PST 2014


On Dec 24, 2013, at 12:50 PM, Ward Sladek <wsladekjr at hotmail.com> wrote:

> What is the best practice for disabling a Base script?  For example, I would like to disable syslog monitoring all together.  I have included the following in my local.bro:
> 
> event bro_init()
>     {
>     Log::disable_stream(Syslog::LOG);
>     }
> 
> 
> This disables the logging of syslog messages, but does it prevent Bro from loading the base/protocols/syslog scripts?  If not, what is the best practice for doing so?  I'm trying to tune/tweak bro for best performance.

For command-line usage, `bro -b` or `bro —bare-mode` prevents base/init-default.bro and the scripts it references from being loaded by default.  From there, you can pick and choose freely.

For BroControl usage, I presume that setting “BroArgs = -b” in broctl.cfg and pruning site/local.bro as desired would work.

- Jon



More information about the Bro mailing list