[Bro] Advanced filtering
Seth Hall
seth at icir.org
Tue Jan 24 08:04:19 PST 2012
On Jan 24, 2012, at 10:39 AM, Thomas, Eric D wrote:
> I'd like to stop processing the packets associated with connections that meet certain heuristics. The goal would be to minimize the internal and script-based processing Bro does on those connections after the heuristic conditions are met, for performance and log size reasons. Is skip_further_processing the right BIF to use, or is there something more efficient or effective?
skip_further_processing should work for you. For 2.1, I'm hoping to have the reaction framework ready which may make it possible to divert or shunt traffic in this way even better and more abstractly. Ultimately I'd like to make it possible for you to define ways of diverting or shunting traffic and Bro would choose the best method you provided to it by default.
If I understand skip_further_processing correctly, it should stop performing reassembly on the connection and remove all analyzers from the connection. The traffic is still being pulled from the NIC onto the CPU but no further work should be performed on it.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list