I'm curious if Bro in bare mode is ever used for anything. I'm not
surprised to see bare mode include bifs. Is there a design decision
why bare mode includes things like the input and logging framework but
not the protocol directories that make use of them (e.g.
bro/base/protocols/conn) ?
I'm curious if Bro in bare mode is ever used for anything.
The intention for mode is to allow users more choice in what script-level functionality to load. In practice, I don’t know how often it’s used for that.
The other thing I frequently use it for is unit tests, where I want minimal test cases and faster parse time.
I'm not surprised to see bare mode include bifs. Is there a design decision
why bare mode includes things like the input and logging framework but
not the protocol directories that make use of them (e.g.
bro/base/protocols/conn) ?
If it’s something that’s tightly coupled with internals and only has parse-time performance cost, then that’s something to expect to be loaded in bare mode. The protocol analysis packages don’t satisfy either condition — internals don’t depend on them to be loaded and loading them can have run-time performance costs.
I'll add that bare mode is essentially what used to be the default
configuration in Bro <2.0. So it's also a way to get back to the old
approach where you would add things as you need them. Bro is more
difficult to use that way but it can reduce resource usage quite a bit
if one really only needs a couple pieces.