[Bro] - Skip Weird or ProtocolViolation analyzer
william de ping
bill.de.ping at gmail.com
Tue Jun 6 05:12:56 PDT 2017
Hi,
Yes I am well aware of my input traffic and I would like to save bro as
much processing as I can.
If I know that all my traffic is SMTP related, I have no need for other
analyzers.
I would even like bro to delete a packet that have some malformed data
instead of forwarding it to another analyzer.
The thing is that I would like to make Bro as bare as possible so it can
work as fast as Suricata
Thanks
B
On Mon, Jun 5, 2017 at 8:36 PM, Hosom, Stephen M <hosom at battelle.org> wrote:
> I don’t think weird can cleanly be disabled. Is there a particular reason
> that you’re trying this hard to optimize? Even if you could turn off weird,
> it would be a bad idea to do so. That’s where a lot of the good
> troubleshooting data comes from for Bro. It can be a great way to find
> problems with your Bro deployment and your environment.
>
>
>
> *From:* bro-bounces at bro.org [mailto:bro-bounces at bro.org] *On Behalf Of *william
> de ping
> *Sent:* Sunday, June 4, 2017 11:07 AM
> *To:* bro at bro.org
> *Subject:* [Bro] - Skip Weird or ProtocolViolation analyzer
>
>
>
> Message received from outside the Battelle network. Carefully examine it
> before you open any links or attachments.
>
> Hi all,
>
> I am trying to save bro unnecessary events, weird is has quit a few hits
> that are not relevant to me.
> I see that under HTTP.cc or DNS.cc I have some redirection to WEIRD or
> ProtocolViolation analyzers.
>
> How can I delete the connection at this stage instead of sending it to
> another costly analyzer ?
>
> can I just comment it out ?
>
> Thank you,
>
> B
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170606/e18ea55c/attachment.html
More information about the Bro
mailing list