On Jan 24, 2012, at 10:39 AM, Thomas, Eric D wrote:
I'd like to stop processing the packets
associated with connections that meet certain heuristics. The goal would be to minimize
the internal and script-based processing Bro does on those connections after the heuristic
conditions are met, for performance and log size reasons. Is skip_further_processing the
right BIF to use, or is there something more efficient or effective?
skip_further_processing should work for you. For 2.1, I'm hoping to have the
reaction framework ready which may make it possible to divert or shunt traffic in this way
even better and more abstractly. Ultimately I'd like to make it possible for you to
define ways of diverting or shunting traffic and Bro would choose the best method you
provided to it by default.
If I understand skip_further_processing correctly, it should stop performing reassembly on
the connection and remove all analyzers from the connection. The traffic is still being
pulled from the NIC onto the CPU but no further work should be performed on it.
International Computer Science Institute
(Bro) because everyone has a network