I'd like to stop processing the packets associated with connections that meet certain heuristics. The goal would be to minimize the internal and script-based processing Bro does on those connections after the heuristic conditions are met, for performance and log size reasons. Is skip_further_processing the right BIF to use, or is there something more efficient or effective?
skip_further_processing should work for you. For 2.1, I'm hoping to have the reaction framework ready which may make it possible to divert or shunt traffic in this way even better and more abstractly. Ultimately I'd like to make it possible for you to define ways of diverting or shunting traffic and Bro would choose the best method you provided to it by default.
If I understand skip_further_processing correctly, it should stop performing reassembly on the connection and remove all analyzers from the connection. The traffic is still being pulled from the NIC onto the CPU but no further work should be performed on it.
.Seth
One more thought actually. If you are concerned with log size, you really have no limitations for filtering and redirecting your logs with the logging framework. I'm hoping to do a short blog post today demonstrating some of the logging filters that I have created recently for various people.
.Seth