[Bro] minimalistic bro setup

Johanna Amann johanna at icir.org
Thu Apr 6 07:44:03 PDT 2017


Hi William,

if you use Bro in bare mode, even though the other analyzers will be 
loaded, they will not be active, and thus not use any CPU time; the 
amount of memory they use should not be rather small (which I guess 
might be important if you try to get it to work on embedded devices).

There currently is no easy way to prevent the shipped analyzers from 
loading, that I am aware of.

Johanna

On 6 Apr 2017, at 2:59, william de ping wrote:

> Thank you Johanna,
>
> The thing is that regardless of init-default and init-bare, there are 
> still
> default plugins and analyzers that are loaded.
> For example, if I am not processing any TCP traffic, I do not TCP 
> analyzer
> or HTTP's related plugins, and they are loaded by default..
>
> Any ideas for that matter ?
>
> Thanks again,
> B
>
> On Wed, Apr 5, 2017 at 7:21 PM, Johanna Amann <johanna at icir.org> 
> wrote:
>
>> You are probably looking for bare mode, which you can use by starting 
>> Bro
>> with the "-b" option.
>>
>> In bare mode, Bro only loads init-bare.bro, and does not load
>> init-default; thus basically no analyzers are activated.
>>
>> Johanna
>>
>> On Wed, Apr 05, 2017 at 03:40:37PM +0300, william de ping wrote:
>>> hi
>>> any ideas on how to turn off unwanted plugins\analyzers ?
>>>
>>> thanks
>>>
>>> On Tue, Apr 4, 2017 at 1:07 PM, william de ping 
>>> <bill.de.ping at gmail.com>
>>> wrote:
>>>
>>>> Hi all,
>>>>
>>>> I would like to make bro real thin by not loading all unnecessary
>>>> plugins\analyzers.
>>>>
>>>> I have tweaked init-bare and init-default scripts, yet when I see 
>>>> the
>>>> loaded-scripts, I see that many plugins are loaded.
>>>>
>>>> How can I turn off plugins effectively ?
>>>> when I edit base/bif/plugins/__load__.bro  to not load ,say, FTP, I 
>>>> get
>>>> many errors that  some FTP fields are not recognized and preventing 
>>>> the
>>>> cluster from running.
>>>>
>>>> I basically need only UDP and DNS events and have no need for the
>> moment
>>>> for other down stream analyzers\plugins.
>>>>
>>>> Thanks in advance
>>>> B
>>>>
>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>


More information about the Bro mailing list