minimalistic bro setup

Hi all,

I would like to make bro real thin by not loading all unnecessary plugins\analyzers.

I have tweaked init-bare and init-default scripts, yet when I see the loaded-scripts, I see that many plugins are loaded.

How can I turn off plugins effectively ?

when I edit base/bif/plugins/load.bro to not load ,say, FTP, I get many errors that some FTP fields are not recognized and preventing the cluster from running.

I basically need only UDP and DNS events and have no need for the moment for other down stream analyzers\plugins.

Thanks in advance


any ideas on how to turn off unwanted plugins\analyzers ?


You are probably looking for bare mode, which you can use by starting Bro
with the "-b" option.

In bare mode, Bro only loads init-bare.bro, and does not load
init-default; thus basically no analyzers are activated.


Thank you Johanna,

The thing is that regardless of init-default and init-bare, there are still default plugins and analyzers that are loaded.

For example, if I am not processing any TCP traffic, I do not TCP analyzer or HTTP’s related plugins, and they are loaded by default…

Any ideas for that matter ?

Thanks again,


Hi William,

if you use Bro in bare mode, even though the other analyzers will be loaded, they will not be active, and thus not use any CPU time; the amount of memory they use should not be rather small (which I guess might be important if you try to get it to work on embedded devices).

There currently is no easy way to prevent the shipped analyzers from loading, that I am aware of.