[Bro] - Skip Weird or ProtocolViolation analyzer
william de ping
bill.de.ping at gmail.com
Sat Jun 10 23:01:49 PDT 2017
Thank you very much !
I was not aware of that option
On Thu, Jun 8, 2017 at 11:50 PM, Daniel Thayer <dnthayer at illinois.edu>
wrote:
> When running Bro from broctl, you can pass command-line
> options to bro by setting a value for the "broargs" option
> in your etc/broctl.cfg file.
>
> For example, you can add this line to your etc/broctl.cfg file:
> broargs = -b
>
>
> On 6/8/17 9:55 AM, william de ping wrote:
>
>> Hi,
>>
>> Yes I do see better results with bare mode.
>>
>> However, is it possible to run Broctl in bare mode ?
>>
>> Thanks,
>> B
>>
>> On Tue, Jun 6, 2017 at 7:36 PM, Johanna Amann <johanna at icir.org
>> <mailto:johanna at icir.org>> wrote:
>>
>> Hi,
>>
>> Weird and ProtocolViolation are no analyzers, and because of that
>> they are
>> not especially costly. Weird is generally called when one of the
>> protocol
>> analyzers notices something "weird" happening in the protocol; this is
>> then logged directly to weird.log. While you can disable this function
>> call, I don't really think you will see significant performance gains
>> by
>> this.
>>
>> ProtocolViolation is a bit different; this is called when a analyzer
>> encounters data in a protocol that it cannot parse (i.e. it is a
>> violation
>> of how we think that the protocol should work). This is generally
>> logged
>> into dpd.log, and the analyzer stops processing the connection after
>> that.
>> You definitely should not just delete this function call, as it
>> might mess
>> with what happens during protocol detection.
>>
>> If you want a Bro installation that does not instantiate most protocol
>> analyzers, you can just start Bro in bare mode (using -b), and only
>> load
>> the scripts that you are interested in. By default Bro will not
>> parse any
>> application layer protocols in bare mode (you should not even see
>> conn.log
>> generated).
>>
>> Johanna
>>
>> On Sun, Jun 04, 2017 at 06:06:53PM +0300, william de ping wrote:
>> > Hi all,
>> >
>> > I am trying to save bro unnecessary events, weird is has quit a
>> few hits
>> > that are not relevant to me.
>> > I see that under HTTP.cc or DNS.cc I have some redirection to WEIRD
>> or
>> > ProtocolViolation analyzers.
>> > How can I delete the connection at this stage instead of sending it
>> to
>> > another costly analyzer ?
>> >
>> > can I just comment it out ?
>> >
>> > Thank you,
>> > B
>>
>> > _______________________________________________
>> > Bro mailing list
>> > bro at bro-ids.org <mailto:bro at bro-ids.org>
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__
>> mailman.ICSI.Berkeley.EDU_mailman_listinfo_bro&d=DwMFaQ&c=
>> 8hUWFZcy2Z-Za5rBPlktOQ&r=Bi5qPBnY0NmYPqnRTPj_AfXQKpfQTZUpCzp
>> fFBcawv0&m=-guHXAqiujhzCMbLN4s2XOGSKix7YchSqGOtzEKMOkg&s=
>> 5OUdqDoBzW6-MO4SWOpKaShy3Hf6f1xdpYGHg3p7e9A&e=>
>>
>>
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170611/70b6c66b/attachment.html
More information about the Bro
mailing list