[Bro] disabling PE analyzer
Seth Hall
seth at corelight.com
Fri Apr 13 09:31:25 PDT 2018
On 13 Apr 2018, at 11:57, Azoff, Justin S wrote:
> so you can probably disable it by redeffing pe_mime_types to something
> that won't match anymore.
The Files api does have a table to disable file analyzers too.
```bro
redef Files::disable += { [Files::ANALYZER_PE] = T };
```
I'm actually not totally sure if that should be "T" or "F" though
without some more checking. I suspect that it's "T" though.
--
Seth Hall * Corelight, Inc * www.corelight.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180413/90a63f72/attachment.html
More information about the Bro
mailing list