Justin

Does this script make things crash? ``` event zeek_init() { when ( local result = lookup_hostname_txt("example.com")) { print result; } } ``` We have some tests for dns, but I...

Ah, @philrz another thing you can try is use the stock scripts, but set ZEEK_DNS_FAKE=1 in the environment. if it crashes without that, but runs ok with that set, then...

input/ReaderBackend likely isn't used to dealing with a file.. not reading, so this likely triggered a codepath not often hit.

ah, so it's the individual analyzers that are doing that? I made this change to the ldap one and that seemed to work: ``` -protocol analyzer spicy::LDAP_TCP over TCP: +protocol...

> What analyzers are we talking about here? Getting them fixed would certainly be the preferred solution, but I can see stripping the prefix Zeek-side for now if that's hard....

The underlying issue is that `@load` is really like `#include` in C and not like `import` in python. ``` $ head -n 10 a.zeek b.zeek ==> a.zeek b.zeek

Really large filters are problematic in general, and things like long chains of `or` statements turn into a massive `O(N)` filter that gets slower and slower. Especially for the case...

Oh.. that is very easy to do actually.. Just need a json version of https://github.com/JustinAzoff/netflow-indexer/blob/master/netflowindexer/bro/indexer.py could probably have one that works for both.. do the bro json logs contain '.json'...

Oh, and could probably have a version that uses 'jq' to do the json heavy lifting if parsing all the json in python is too slow.

An API or that exact feature?