[Bro] - Skip Weird or ProtocolViolation analyzer
Johanna Amann
johanna at icir.org
Tue Jun 6 09:36:34 PDT 2017
Hi,
Weird and ProtocolViolation are no analyzers, and because of that they are
not especially costly. Weird is generally called when one of the protocol
analyzers notices something "weird" happening in the protocol; this is
then logged directly to weird.log. While you can disable this function
call, I don't really think you will see significant performance gains by
this.
ProtocolViolation is a bit different; this is called when a analyzer
encounters data in a protocol that it cannot parse (i.e. it is a violation
of how we think that the protocol should work). This is generally logged
into dpd.log, and the analyzer stops processing the connection after that.
You definitely should not just delete this function call, as it might mess
with what happens during protocol detection.
If you want a Bro installation that does not instantiate most protocol
analyzers, you can just start Bro in bare mode (using -b), and only load
the scripts that you are interested in. By default Bro will not parse any
application layer protocols in bare mode (you should not even see conn.log
generated).
Johanna
On Sun, Jun 04, 2017 at 06:06:53PM +0300, william de ping wrote:
> Hi all,
>
> I am trying to save bro unnecessary events, weird is has quit a few hits
> that are not relevant to me.
> I see that under HTTP.cc or DNS.cc I have some redirection to WEIRD or
> ProtocolViolation analyzers.
> How can I delete the connection at this stage instead of sending it to
> another costly analyzer ?
>
> can I just comment it out ?
>
> Thank you,
> B
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list