[Bro] disabling PE analyzer
Azoff, Justin S
jazoff at illinois.edu
Fri Apr 13 08:57:34 PDT 2018
> On Apr 13, 2018, at 11:49 AM, Keith Lehigh <klehigh at iu.edu> wrote:
>
> Hi Folks,
> I’m trying to identify the source of some memory issues and as part of my troubleshooting, I wanted to try disabling the PE analyzer but I’m unable to get the syntax right. Below is what I’m trying along w/ some output. I’m quite surprised that Analyzer::ANALYZER_DHCP, shows up in disabled_analyzers when I redef the variable. Thanks for any insight.
>
> - Keith
>
>
> test.bro:
>
> redef Analyzer::disabled_analyzers += { Files::ANALYZER_PE };
>
> event bro_init()
> {
> print Analyzer::disabled_analyzers;
> }
>
> Output :
>
> {
> Analyzer::ANALYZER_TCPSTATS,
> Analyzer::ANALYZER_DHCP,
> Analyzer::ANALYZER_INTERCONN,
> Analyzer::ANALYZER_BACKDOOR,
> Analyzer::ANALYZER_STEPPINGSTONE
> }
I normally use
event bro_init()
{
Analyzer::disable_analyzer(Analyzer::ANALYZER_SYSLOG);
}
but the PE analyzer isn't a regular analyzer, so I don't think that will work. It's initialized by the pe script using
const pe_mime_types = { "application/x-dosexec" };
event bro_init() &priority=5
{
Files::register_for_mime_types(Files::ANALYZER_PE, pe_mime_types);
Log::create_stream(LOG, [$columns=Info, $ev=log_pe, $path="pe"]);
}
so you can probably disable it by redeffing pe_mime_types to something that won't match anymore.
—
Justin Azoff
More information about the Bro
mailing list