Hi,
How to build minimal bro only generate conn.log not finding any steps for build this
Regards,
sunu
How to build minimal bro only generate conn.log
not finding any steps for build this
I think you can find the answer in scripts/base/init-default.bro
and in scripts/base/init-bare.bro.
init-default.bro loads all the various protocol analyzers, while
init-bare.bro does not.
Mark
If I did not misunderstand your question, you could disable logging for the
other protocols and stick directly with the conn.log. Unless someone has a
better script or more efficient alternative option, could you possibly name
this script and @load it in your local.bro:
export {
const ignore_logs = set( a list of all the logs you don't want to
see)&redef;
}
event bro_init()
{
for ( i in ignore_logs )
{
Log::disable_stream(i);
}
}
BTW this idea was gotten from Aaron Eppert's excellent bro scripting class
on networkdefense.io.
bro -r my.pcap -b -C base/protocols/conn
ok thanks guys , i will try this , is it possible while compiling bro as as minimal ? only generate conn.log ?
There are no options for building Bro in a minimal way, but Assaf's suggestion is the direction that I would go. If you run Bro with the '-b' flag it will run in "bare" mode which causes it to not load the init-default.bro script. You will then have to specify every bit of functionality that you would like Bro to run which is also why Assaf suggested loading the base/protocols/conn script.
This will cause Bro to do less processing than the other suggestion of disabling the log streams. If you disable the log streams Bro will still end up doing all of the work internally to create those logs just to throw out the data at the last minute.
.Seth