[Bro] - Skip Weird or ProtocolViolation analyzer

william de ping bill.de.ping at gmail.com
Sat Jun 10 23:01:49 PDT 2017 

Thank you very much !

I was not aware of that option

On Thu, Jun 8, 2017 at 11:50 PM, Daniel Thayer <dnthayer at illinois.edu>
wrote:

> When running Bro from broctl, you can pass command-line
> options to bro by setting a value for the "broargs" option
> in your etc/broctl.cfg file.
>
> For example, you can add this line to your etc/broctl.cfg file:
> broargs = -b
>
>
> On 6/8/17 9:55 AM, william de ping wrote:
>
>> Hi,
>>
>> Yes I do see better results with bare mode.
>>
>> However, is it possible to run Broctl in bare mode ?
>>
>> Thanks,
>> B
>>
>> On Tue, Jun 6, 2017 at 7:36 PM, Johanna Amann <johanna at icir.org
>> <mailto:johanna at icir.org>> wrote:
>>
>>     Hi,
>>
>>     Weird and ProtocolViolation are no analyzers, and because of that
>>     they are
>>     not especially costly. Weird is generally called when one of the
>>     protocol
>>     analyzers notices something "weird" happening in the protocol; this is
>>     then logged directly to weird.log. While you can disable this function
>>     call, I don't really think you will see significant performance gains
>> by
>>     this.
>>
>>     ProtocolViolation is a bit different; this is called when a analyzer
>>     encounters data in a protocol that it cannot parse (i.e. it is a
>>     violation
>>     of how we think that the protocol should work). This is generally
>> logged
>>     into dpd.log, and the analyzer stops processing the connection after
>>     that.
>>     You definitely should not just delete this function call, as it
>>     might mess
>>     with what happens during protocol detection.
>>
>>     If you want a Bro installation that does not instantiate most protocol
>>     analyzers, you can just start Bro in bare mode (using -b), and only
>> load
>>     the scripts that you are interested in. By default Bro will not
>>     parse any
>>     application layer protocols in bare mode (you should not even see
>>     conn.log
>>     generated).
>>
>>     Johanna
>>
>>     On Sun, Jun 04, 2017 at 06:06:53PM +0300, william de ping wrote:
>>     > Hi all,
>>     >
>>     > I am trying to save bro unnecessary events, weird is has quit a
>>     few hits
>>     > that are not relevant to me.
>>     > I see that under HTTP.cc or DNS.cc I have some redirection to WEIRD
>> or
>>     > ProtocolViolation analyzers.
>>     > How can I delete the connection at this stage instead of sending it
>> to
>>     > another costly analyzer ?
>>     >
>>     > can I just comment it out ?
>>     >
>>     > Thank you,
>>     > B
>>
>>     > _______________________________________________
>>     > Bro mailing list
>>     > bro at bro-ids.org <mailto:bro at bro-ids.org>
>>     > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>     <https://urldefense.proofpoint.com/v2/url?u=http-3A__
>> mailman.ICSI.Berkeley.EDU_mailman_listinfo_bro&d=DwMFaQ&c=
>> 8hUWFZcy2Z-Za5rBPlktOQ&r=Bi5qPBnY0NmYPqnRTPj_AfXQKpfQTZUpCzp
>> fFBcawv0&m=-guHXAqiujhzCMbLN4s2XOGSKix7YchSqGOtzEKMOkg&s=
>> 5OUdqDoBzW6-MO4SWOpKaShy3Hf6f1xdpYGHg3p7e9A&e=>
>>
>>
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170611/70b6c66b/attachment.html

More information about the Bro mailing list