In general, Bro will only do the work associated with a particular
analyzer if your policy script defines one or more event handlers
associated with the analyzer. For example, Bro will
instantiate an FTP analyzer only if your script defines an
ftp_request
or ftp_reply
handler. If it doesn't, then
when a new FTP connection begins, Bro will only instantiate a
generic TCP analyzer for it. This is an important point, because
some analyzers can require Bro to capture a large volume of
traffic (See Filtering) and perform a lot of computation;
therefore, you need to have a way to trade off between the type
of analysis you do and the performance requirements it entails,
so you can strike the best balance for your particular monitoring needs.
Deficiency: While Bro attempts to instantiate an analyzer if you define a handler for any of the events the analyzer generates, its method for doing so is incomplete: if you only define an analyzer's less mainstream handlers, Bro may fail to instantiate the analyzer.