[Bro] Run Bro with inspecting specific protocol only

Lincy Taylor lc.taylor at protonmail.com
Mon Feb 6 17:16:52 PST 2017

Hello all:

How to run bro with only necessary module and specific protocol analyzers enabled? I am trying to use Bro to detect huge amount of malicious DNS queries and found the packet dropping rate is higher than 50% in bro with PF_RING enabled. I was thinking if there's any method to speed up Bro by disabling unnecessary modules and protocol analyzers. Another problem I am having is I implemented an event handler for 'log_dns' event in my work and i will get no event logs if I removed the default built-in log stream of DNS with "Log::remove_stream(DNS::LOG)". Can anyone share with me your experiences? thanks.

Sent with [ProtonMail](https://protonmail.com) Secure Email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170206/743f8b35/attachment.html 

More information about the Bro mailing list