Downside to using -b?

From what I can tell, not loading base/loading init-default.bro (using the -b option) significantly improves performance, particularly if you are not enabling a bunch of different kinds of analysis. Assuming my local.bro loads the base scripts it needs for processing, is there any reason why I wouldn’t use -b?

Hi Eric :slight_smile:

There's no reason not to use -b if you actually don't want that stuff enabled. Generally speaking, the only thing that should be consuming processing time in the normal mode is the protocol analysis. Everything else feeds off of that so the rest of the code that gets loaded shouldn't actually be getting executed (for the most part).

We made the decision to enable so many things by default for the 2.0 release because we wanted Bro to be extremely easy to run (to shed the past reputation of Bro being difficult to run). My goal to make it easier to run than tcpdump and I think we achieved that (bro -r packets.pcap). The -b option was our way to leave the door open for more enterprising users to truly customize things as they wanted while still making Bro do a lot by default.


Terrific, thanks!