[Bro] Properly disabling certain rules

James Lay jlay at slave-tothe-box.net
Wed Jun 18 08:01:19 PDT 2014


On 2014-06-18 08:56, Vlad Grigorescu wrote:
> Hi James,
>
> Just as a matter of terminology, these aren't rules, but analyzers. 
> :-)
>
> Try something like this to your local.bro:
>
>> event bro_init() {
>>      Analyzer::disable_analyzer(Analyzer::ANALYZER_SSL);
>>      Analyzer::disable_analyzer(Analyzer::ANALYZER_SYSLOG);
>> }
>
>  --Vlad
>
>
> On Jun 18, 2014, at 10:09 AM, James Lay <jlay at slave-tothe-box.net> 
> wrote:
>
>> Team,
>>
>> So...after upgrading to Bro 2.3, syslog and ssl have returned, which 
>> I
>> do not want to see.  I commented them out in init-default.bro, which 
>> is
>> not the right way to go I know.  How can I disable these in my
>> local.bro?  Thank you.
>>
>> James
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

Thanks for the clarification Vlad...helps if I at least SOUND like I 
know what I'm talking about :D

James



More information about the Bro mailing list