Disable analyzer

Lamorale · March 20, 2023, 10:35am

I am very new to zeek so please forgive this newbie qestion but how can I disable the analysys of a given protocol in zeek 5. In my case I would like to disable syslog protocol

awelzel · March 20, 2023, 10:43am

Hello Lamorale,

you can use the Analyzer::disable_analyzer bif within zeek_init():

event zeek_init() {
    Analyzer::disable_analyzer(Analyzer::ANALYZER_SYSLOG);
}

As a convenience, there’s also a set of analyzers to disable at startup: Analyzer::disabled_analyzer. You can extend it via the following:

redef Analyzer::disabled_analyzers += {
    Analyzer::ANALYZER_SYSLOG,
};

Either snippet would be added to local.zeek, for example.

Lamorale · March 20, 2023, 10:53am

Thanks a lot for your very fast response. It works fine

Topic		Replies	Views
New Analyzer Zeek	9	109	May 6, 2022
CIFS/SMB protocol analyzer Development development	3	121	May 6, 2022
File events question Zeek	3	138	May 6, 2022
LDAP Analyzer Zeek	2	98	May 6, 2022
Removal of barnyard2 and unified2 support Zeek development	0	246	August 16, 2022

Disable analyzer

Related Topics