[Bro] disable_stream vs remove_filter
Adam Hall
abhall1 at yahoo.com
Mon Jun 8 07:01:53 PDT 2015
I am trying to figure out if there are any pro's or con's using disable_stream vs remove_filter.
>From the reading they appear as if they are interchangeable... but I want to make sure that one of them doesn't have negative interplay.
Background of the event is:
I have Log::remove_filter(Files::LOG,"default"); and created my own log where I only store certain mime_types.I decided also that I wanted to remove other log files (weird, dpd, modbus, communication, known_*, PacketFilter) that aren't being used when research is performed.I have commented out some in the local.bro but need to either disable_stream or remove_filter the rest.Also, I currently have 2.2 and 2.3 running. I am using 2.4 for testing and then figuring backwards compatibility.
I am looking for:
1) Will one give me a performance gain over the other?2) Will one cause problems for other calls being made (If I disable_stream and something calls that stream will it break)?3) If I disable a stream and later decide to add a new filter, will that work?
I am still testing some of this, but any help would greatly appreciated!
Thanks,
Adam "RedLight" Hall
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150608/41f1f244/attachment.html
More information about the Bro
mailing list