Hi Folks,
I’m trying to identify the source of some memory issues and as part of my troubleshooting, I wanted to try disabling the PE analyzer but I’m unable to get the syntax right. Below is what I’m trying along w/ some output. I’m quite surprised that Analyzer::ANALYZER_DHCP, shows up in disabled_analyzers when I redef the variable. Thanks for any insight.
- Keith
test.bro:
redef Analyzer::disabled_analyzers += { Files::ANALYZER_PE };
event bro_init()
{
print Analyzer::disabled_analyzers;
}
Output :
{
Analyzer::ANALYZER_TCPSTATS,
Analyzer::ANALYZER_DHCP,
Analyzer::ANALYZER_INTERCONN,
Analyzer::ANALYZER_BACKDOOR,
Analyzer::ANALYZER_STEPPINGSTONE
}
I normally use
event bro_init()
{
Analyzer::disable_analyzer(Analyzer::ANALYZER_SYSLOG);
}
but the PE analyzer isn't a regular analyzer, so I don't think that will work. It's initialized by the pe script using
const pe_mime_types = { "application/x-dosexec" };
event bro_init() &priority=5
{
Files::register_for_mime_types(Files::ANALYZER_PE, pe_mime_types);
Log::create_stream(LOG, [$columns=Info, $ev=log_pe, $path="pe"]);
}
so you can probably disable it by redeffing pe_mime_types to something that won't match anymore.
The Files api does have a table to disable file analyzers too.
redef Files::disable += { [Files::ANALYZER_PE] = T };
I’m actually not totally sure if that should be “T” or “F” though without some more checking. I suspect that it’s “T” though.
Your approach doesn’t appear to disable the PE analyzer, regardless of whether I use T or F. I still see logs written when I use the pe.trace file for testing. Justin’s approach works fine. I just change it to “x-fake” mimetype and I see no pe.log. Thanks!