[Bro] disabling PE analyzer

Azoff, Justin S jazoff at illinois.edu
Fri Apr 13 08:57:34 PDT 2018


> On Apr 13, 2018, at 11:49 AM, Keith Lehigh <klehigh at iu.edu> wrote:
> 
> Hi Folks,
>   I’m trying to identify the source of some memory issues and as part of my troubleshooting, I wanted to try disabling the PE analyzer but I’m unable to get the syntax right.  Below is what I’m trying along w/ some output.  I’m quite surprised that Analyzer::ANALYZER_DHCP, shows up in disabled_analyzers when I redef the variable.  Thanks for any insight.
> 
> - Keith
> 
> 
> test.bro:
> 
> redef Analyzer::disabled_analyzers += { Files::ANALYZER_PE };
> 
> event bro_init()
>        {
>        print Analyzer::disabled_analyzers;
>        }
> 
> Output :
> 
> {
> Analyzer::ANALYZER_TCPSTATS,
> Analyzer::ANALYZER_DHCP,
> Analyzer::ANALYZER_INTERCONN,
> Analyzer::ANALYZER_BACKDOOR,
> Analyzer::ANALYZER_STEPPINGSTONE
> }

I normally use

event bro_init()
{
        Analyzer::disable_analyzer(Analyzer::ANALYZER_SYSLOG);
}

but the PE analyzer isn't a regular analyzer, so I don't think that will work.  It's initialized by the pe script using

const pe_mime_types = { "application/x-dosexec" };

event bro_init() &priority=5
	{
	Files::register_for_mime_types(Files::ANALYZER_PE, pe_mime_types);
	Log::create_stream(LOG, [$columns=Info, $ev=log_pe, $path="pe"]);
	}

so you can probably disable it by redeffing pe_mime_types to something that won't match anymore.



— 
Justin Azoff





More information about the Bro mailing list