[Bro] Run Bro with inspecting specific protocol only
lc.taylor at protonmail.com
Mon Feb 6 17:16:52 PST 2017
How to run bro with only necessary module and specific protocol analyzers enabled? I am trying to use Bro to detect huge amount of malicious DNS queries and found the packet dropping rate is higher than 50% in bro with PF_RING enabled. I was thinking if there's any method to speed up Bro by disabling unnecessary modules and protocol analyzers. Another problem I am having is I implemented an event handler for 'log_dns' event in my work and i will get no event logs if I removed the default built-in log stream of DNS with "Log::remove_stream(DNS::LOG)". Can anyone share with me your experiences? thanks.
Sent with [ProtonMail](https://protonmail.com) Secure Email.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro