[Bro] - Skip Weird or ProtocolViolation analyzer

william de ping bill.de.ping at gmail.com
Thu Jun 8 07:55:41 PDT 2017


Yes I do see better results with bare mode.

However, is it possible to run Broctl in bare mode ?


On Tue, Jun 6, 2017 at 7:36 PM, Johanna Amann <johanna at icir.org> wrote:

> Hi,
> Weird and ProtocolViolation are no analyzers, and because of that they are
> not especially costly. Weird is generally called when one of the protocol
> analyzers notices something "weird" happening in the protocol; this is
> then logged directly to weird.log. While you can disable this function
> call, I don't really think you will see significant performance gains by
> this.
> ProtocolViolation is a bit different; this is called when a analyzer
> encounters data in a protocol that it cannot parse (i.e. it is a violation
> of how we think that the protocol should work). This is generally logged
> into dpd.log, and the analyzer stops processing the connection after that.
> You definitely should not just delete this function call, as it might mess
> with what happens during protocol detection.
> If you want a Bro installation that does not instantiate most protocol
> analyzers, you can just start Bro in bare mode (using -b), and only load
> the scripts that you are interested in. By default Bro will not parse any
> application layer protocols in bare mode (you should not even see conn.log
> generated).
> Johanna
> On Sun, Jun 04, 2017 at 06:06:53PM +0300, william de ping wrote:
> > Hi all,
> >
> > I am trying to save bro unnecessary events, weird is has quit a few hits
> > that are not relevant to me.
> > I see that under HTTP.cc or DNS.cc I have some redirection to WEIRD or
> > ProtocolViolation analyzers.
> > How can I delete the connection at this stage instead of sending it to
> > another costly analyzer ?
> >
> > can I just comment it out ?
> >
> > Thank you,
> > B
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170608/8f31f5c6/attachment.html 

More information about the Bro mailing list