Re: [Bro-Dev] Bare Mode

2013-11-23 Thread Vern Paxson 
Yeah, I sometimes find when running on ginormous traces with limited disk
space available for (what will be massive) logs that -b really helps.

Vern
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] Bare Mode

2013-11-22 Thread Robin Sommer 


On Fri, Nov 22, 2013 at 15:38 +, you wrote:

> The intention for mode is to allow users more choice in what
> script-level functionality to load.  In practice, I don’t know how
> often it’s used for that.

I'll add that bare mode is essentially what used to be the default
configuration in Bro <2.0. So it's also a way to get back to the old
approach where you would add things as you need them. Bro is more
difficult to use that way but it can reduce resource usage quite a bit
if one really only needs a couple pieces.

Robin

-- 
Robin Sommer * Phone +1 (510) 722-6541 * ro...@icir.org
ICSI/LBNL* Fax   +1 (510) 666-2956 * www.icir.org/robin
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Re: [Bro-Dev] Bare Mode

2013-11-22 Thread Siwek, Jonathan Luke 

On Nov 21, 2013, at 9:33 PM, anthony kasza  wrote:

> I'm curious if Bro in bare mode is ever used for anything.

The intention for mode is to allow users more choice in what script-level 
functionality to load.  In practice, I don’t know how often it’s used for that.

The other thing I frequently use it for is unit tests, where I want minimal 
test cases and faster parse time.

> I'm not surprised to see bare mode include bifs. Is there a design decision
> why bare mode includes things like the input and logging framework but
> not the protocol directories that make use of them (e.g.
> bro/base/protocols/conn) ?

If it’s something that’s tightly coupled with internals and only has parse-time 
performance cost, then that’s something to expect to be loaded in bare mode.  
The protocol analysis packages don’t satisfy either condition — internals don’t 
depend on them to be loaded and loading them can have run-time performance 
costs.

- Jon
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] Bare Mode

2013-11-21 Thread anthony kasza 
Hey All,

Looking at the diff between the output of the two commands I was
slightly surprised.

bro -e 'event bro_script_loaded(script: string, levels: count) { print
script; }'
bro -be 'event bro_script_loaded(script: string, levels: count) {
print script; }'

I'm curious if Bro in bare mode is ever used for anything. I'm not
surprised to see bare mode include bifs. Is there a design decision
why bare mode includes things like the input and logging framework but
not the protocol directories that make use of them (e.g.
bro/base/protocols/conn) ?

-AK
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev