[Bro] disabling PE analyzer
Keith Lehigh
klehigh at iu.edu
Fri Apr 20 07:01:43 PDT 2018
Your approach doesn’t appear to disable the PE analyzer, regardless of whether I use T or F. I still see logs written when I use the pe.trace file for testing. Justin’s approach works fine. I just change it to “x-fake” mimetype and I see no pe.log. Thanks!
- Keith
On 13 Apr 2018, at 12:31, Seth Hall wrote:
> On 13 Apr 2018, at 11:57, Azoff, Justin S wrote:
>
>> so you can probably disable it by redeffing pe_mime_types to something that won't match anymore.
>
> The Files api does have a table to disable file analyzers too.
>
> ```bro
> redef Files::disable += { [Files::ANALYZER_PE] = T };
> ```
>
> I'm actually not totally sure if that should be "T" or "F" though without some more checking. I suspect that it's "T" though.
>
> --
> Seth Hall * Corelight, Inc * www.corelight.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180420/f0253ed4/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3740 bytes
Desc: S/MIME digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180420/f0253ed4/attachment.bin
More information about the Bro
mailing list