[Bro] minimalistic bro setup

william de ping bill.de.ping at gmail.com
Thu Apr 6 02:59:37 PDT 2017


Thank you Johanna,

The thing is that regardless of init-default and init-bare, there are still
default plugins and analyzers that are loaded.
For example, if I am not processing any TCP traffic, I do not TCP analyzer
or HTTP's related plugins, and they are loaded by default..

Any ideas for that matter ?

Thanks again,
B

On Wed, Apr 5, 2017 at 7:21 PM, Johanna Amann <johanna at icir.org> wrote:

> You are probably looking for bare mode, which you can use by starting Bro
> with the "-b" option.
>
> In bare mode, Bro only loads init-bare.bro, and does not load
> init-default; thus basically no analyzers are activated.
>
> Johanna
>
> On Wed, Apr 05, 2017 at 03:40:37PM +0300, william de ping wrote:
> > hi
> > any ideas on how to turn off unwanted plugins\analyzers ?
> >
> > thanks
> >
> > On Tue, Apr 4, 2017 at 1:07 PM, william de ping <bill.de.ping at gmail.com>
> > wrote:
> >
> > > Hi all,
> > >
> > > I would like to make bro real thin by not loading all unnecessary
> > > plugins\analyzers.
> > >
> > > I have tweaked init-bare and init-default scripts, yet when I see the
> > > loaded-scripts, I see that many plugins are loaded.
> > >
> > > How can I turn off plugins effectively ?
> > > when I edit base/bif/plugins/__load__.bro  to not load ,say, FTP, I get
> > > many errors that  some FTP fields are not recognized and preventing the
> > > cluster from running.
> > >
> > > I basically need only UDP and DNS events and have no need for the
> moment
> > > for other down stream analyzers\plugins.
> > >
> > > Thanks in advance
> > > B
> > >
>
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170406/d9462ff1/attachment.html 


More information about the Bro mailing list