disabling PE analyzer

Hi Folks,
   I’m trying to identify the source of some memory issues and as part of my troubleshooting, I wanted to try disabling the PE analyzer but I’m unable to get the syntax right. Below is what I’m trying along w/ some output. I’m quite surprised that Analyzer::ANALYZER_DHCP, shows up in disabled_analyzers when I redef the variable. Thanks for any insight.

- Keith


redef Analyzer::disabled_analyzers += { Files::ANALYZER_PE };

event bro_init()
        print Analyzer::disabled_analyzers;

Output :


I normally use

event bro_init()

but the PE analyzer isn't a regular analyzer, so I don't think that will work. It's initialized by the pe script using

const pe_mime_types = { "application/x-dosexec" };

event bro_init() &priority=5
  Files::register_for_mime_types(Files::ANALYZER_PE, pe_mime_types);
  Log::create_stream(LOG, [$columns=Info, $ev=log_pe, $path="pe"]);

so you can probably disable it by redeffing pe_mime_types to something that won't match anymore.

The Files api does have a table to disable file analyzers too.

redef Files::disable += { [Files::ANALYZER_PE] = T };

I’m actually not totally sure if that should be “T” or “F” though without some more checking. I suspect that it’s “T” though.

Your approach doesn’t appear to disable the PE analyzer, regardless of whether I use T or F. I still see logs written when I use the pe.trace file for testing. Justin’s approach works fine. I just change it to “x-fake” mimetype and I see no pe.log. Thanks!

  • Keith