Hi all,
I would like to make bro real thin by not loading all unnecessary plugins\analyzers.
I have tweaked init-bare and init-default scripts, yet when I see the loaded-scripts, I see that many plugins are loaded.
How can I turn off plugins effectively ?
when I edit base/bif/plugins/load.bro to not load ,say, FTP, I get many errors that some FTP fields are not recognized and preventing the cluster from running.
I basically need only UDP and DNS events and have no need for the moment for other down stream analyzers\plugins.
Thanks in advance
B
hi
any ideas on how to turn off unwanted plugins\analyzers ?
thanks
You are probably looking for bare mode, which you can use by starting Bro
with the "-b" option.
In bare mode, Bro only loads init-bare.bro, and does not load
init-default; thus basically no analyzers are activated.
Johanna
Thank you Johanna,
The thing is that regardless of init-default and init-bare, there are still default plugins and analyzers that are loaded.
For example, if I am not processing any TCP traffic, I do not TCP analyzer or HTTP’s related plugins, and they are loaded by default…
Any ideas for that matter ?
Thanks again,
B
Hi William,
if you use Bro in bare mode, even though the other analyzers will be loaded, they will not be active, and thus not use any CPU time; the amount of memory they use should not be rather small (which I guess might be important if you try to get it to work on embedded devices).
There currently is no easy way to prevent the shipped analyzers from loading, that I am aware of.
Johanna