minimalistic bro setup

Hi all,

I would like to make bro real thin by not loading all unnecessary plugins\analyzers.

I have tweaked init-bare and init-default scripts, yet when I see the loaded-scripts, I see that many plugins are loaded.

How can I turn off plugins effectively ?

when I edit base/bif/plugins/load.bro to not load ,say, FTP, I get many errors that some FTP fields are not recognized and preventing the cluster from running.

I basically need only UDP and DNS events and have no need for the moment for other down stream analyzers\plugins.

Thanks in advance

B

hi
any ideas on how to turn off unwanted plugins\analyzers ?

thanks

You are probably looking for bare mode, which you can use by starting Bro
with the "-b" option.

In bare mode, Bro only loads init-bare.bro, and does not load
init-default; thus basically no analyzers are activated.

Johanna

Thank you Johanna,

The thing is that regardless of init-default and init-bare, there are still default plugins and analyzers that are loaded.

For example, if I am not processing any TCP traffic, I do not TCP analyzer or HTTP’s related plugins, and they are loaded by default…

Any ideas for that matter ?

Thanks again,

B

Hi William,

if you use Bro in bare mode, even though the other analyzers will be loaded, they will not be active, and thus not use any CPU time; the amount of memory they use should not be rather small (which I guess might be important if you try to get it to work on embedded devices).

There currently is no easy way to prevent the shipped analyzers from loading, that I am aware of.

Johanna