[Bro] - Skip Weird or ProtocolViolation analyzer
william de ping
bill.de.ping at gmail.com
Sat Jun 10 23:01:49 PDT 2017
Thank you very much !
I was not aware of that option
On Thu, Jun 8, 2017 at 11:50 PM, Daniel Thayer <dnthayer at illinois.edu>
> When running Bro from broctl, you can pass command-line
> options to bro by setting a value for the "broargs" option
> in your etc/broctl.cfg file.
> For example, you can add this line to your etc/broctl.cfg file:
> broargs = -b
> On 6/8/17 9:55 AM, william de ping wrote:
>> Yes I do see better results with bare mode.
>> However, is it possible to run Broctl in bare mode ?
>> On Tue, Jun 6, 2017 at 7:36 PM, Johanna Amann <johanna at icir.org
>> <mailto:johanna at icir.org>> wrote:
>> Weird and ProtocolViolation are no analyzers, and because of that
>> they are
>> not especially costly. Weird is generally called when one of the
>> analyzers notices something "weird" happening in the protocol; this is
>> then logged directly to weird.log. While you can disable this function
>> call, I don't really think you will see significant performance gains
>> ProtocolViolation is a bit different; this is called when a analyzer
>> encounters data in a protocol that it cannot parse (i.e. it is a
>> of how we think that the protocol should work). This is generally
>> into dpd.log, and the analyzer stops processing the connection after
>> You definitely should not just delete this function call, as it
>> might mess
>> with what happens during protocol detection.
>> If you want a Bro installation that does not instantiate most protocol
>> analyzers, you can just start Bro in bare mode (using -b), and only
>> the scripts that you are interested in. By default Bro will not
>> parse any
>> application layer protocols in bare mode (you should not even see
>> On Sun, Jun 04, 2017 at 06:06:53PM +0300, william de ping wrote:
>> > Hi all,
>> > I am trying to save bro unnecessary events, weird is has quit a
>> few hits
>> > that are not relevant to me.
>> > I see that under HTTP.cc or DNS.cc I have some redirection to WEIRD
>> > ProtocolViolation analyzers.
>> > How can I delete the connection at this stage instead of sending it
>> > another costly analyzer ?
>> > can I just comment it out ?
>> > Thank you,
>> > B
>> > _______________________________________________
>> > Bro mailing list
>> > bro at bro-ids.org <mailto:bro at bro-ids.org>
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> Bro mailing list
>> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro