Hi all,
I am trying to save bro unnecessary events, weird is has quit a few hits that are not relevant to me.
I see that under HTTP.cc or DNS.cc I have some redirection to WEIRD or ProtocolViolation analyzers.
How can I delete the connection at this stage instead of sending it to another costly analyzer ?
can I just comment it out ?
Thank you,
B
I don’t think weird can cleanly be disabled. Is there a particular reason that you’re trying this hard to optimize? Even if you could turn off weird, it would be a bad idea to do so. That’s where a lot of the good troubleshooting data comes from for Bro. It can be a great way to find problems with your Bro deployment and your environment.
Hi,
Yes I am well aware of my input traffic and I would like to save bro as much processing as I can.
If I know that all my traffic is SMTP related, I have no need for other analyzers.
I would even like bro to delete a packet that have some malformed data instead of forwarding it to another analyzer.
The thing is that I would like to make Bro as bare as possible so it can work as fast as Suricata
Thanks
B
Hi,
Weird and ProtocolViolation are no analyzers, and because of that they are
not especially costly. Weird is generally called when one of the protocol
analyzers notices something "weird" happening in the protocol; this is
then logged directly to weird.log. While you can disable this function
call, I don't really think you will see significant performance gains by
this.
ProtocolViolation is a bit different; this is called when a analyzer
encounters data in a protocol that it cannot parse (i.e. it is a violation
of how we think that the protocol should work). This is generally logged
into dpd.log, and the analyzer stops processing the connection after that.
You definitely should not just delete this function call, as it might mess
with what happens during protocol detection.
If you want a Bro installation that does not instantiate most protocol
analyzers, you can just start Bro in bare mode (using -b), and only load
the scripts that you are interested in. By default Bro will not parse any
application layer protocols in bare mode (you should not even see conn.log
generated).
Johanna
Hi,
Yes I do see better results with bare mode.
However, is it possible to run Broctl in bare mode ?
Thanks,
B
Thank you very much !
I was not aware of that option