[Bro] Blacklist querying using Bro script

Martin Holste mcholste at gmail.com
Wed Mar 28 06:01:09 PDT 2012

I highly recommend checking out the Collective Intelligence Framework (
http://code.google.com/p/collective-intelligence-framework/) as a way to
manage your blacklists.  Of particular importance is its ability to store
and share to authorized parties your org's own custom blacklists in a
seamless way with other blacklists.

On Wed, Mar 28, 2012 at 6:24 AM, Sheharbano Khattak
<sheharbano.k at gmail.com>wrote:

> Dear Bro Team,
> I maintain blacklists of botnet C&C servers, spam sources etc. These are
> usually distributed as text files. Every once in a while, i need to update
> these by re-downloading them or better yet, by using rsync. In other cases,
> the database is too large to be locally maintained e.g. DNSBL and i would
> rather make an online query.
> I want this process to be completely automated. That is to say, i want to
> provide Bro with a list of URL's from where these lists can be obtained at
> the time of invocation. In my Bro script, i want to handle reading these
> files and also 'refresh' the lists say every 24 hours. Occasionally, i want
> to be able to make online queries about the 'sanity' of certain IP
> addresses.
> Can i do this using Bro Script? If not, how do i go about doing this?
> Regards,
> --
> Sheharbano Khattak
> Research Engineer / MS student
> NUST, Pakistan
> http://etheryell.com
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120328/19987e23/attachment.html 

More information about the Bro mailing list