[Bro] CIF and Bro Integration

Derek Banks itsecderek at gmail.com
Wed Mar 26 14:27:47 PDT 2014

The way I understand it, when new items are added to the files you include
in the Intel Framework, they are picked up and then in use.  However, to
remove items requires a Bro restart.  Someone please correct me if that is
not accurate.

FWIW, I have the CIF client on my Bro boxes pulling daily and I am
contemplating a weekly restart to dump anything no longer included in the
confidence level of the feed.

On Mar 26, 2014 5:02 PM, "O'Brion, Tom" <TOBrion at unum.com> wrote:

> Quick question when implementing the Intel Framework based on this post:
> http://blog.opensecurityresearch.com/2014/03/identifying-malware-traffic-with-bro.html
> Do you need to restart & reinstall BRO for it to grab a new feed?  I am
> going to script up a weekly cif reload and want to make sure.
> Thanks
> - Tom
> - "Life is too short to spend time with people who suck the happy out of
> you."
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140326/129cd1c1/attachment.html 

More information about the Bro mailing list