[Bro] CIF and Bro Integration
hammadog at gmail.com
Wed Mar 26 18:59:30 PDT 2014
Thanks all for the feedback. But now I have run into another issue with
generating the CIF feed with the -p bro plugin. The feed generate as the
attached links feed did.
>From the test feed that was in the supplied link:
#fields indicator indicator_type meta.source meta.desc meta.url
meta.cif_impact meta.cif_severity meta.cif_confidence
When I generated my own feed it came back as this.
#fields host net str str_type meta.source meta.desc meta.url meta.cif_impact
The attached link(In current thread) feed works and generates the intel.log
file, but the one I generate does not generate a log entry. Is there
something else in BRO that I need to do for the feed to work properly? If
someone could point me in the right direction, I would much appreciate it!
On Wed, Mar 26, 2014 at 9:46 PM, Bernhard Amann
<bernhard at icsi.berkeley.edu>wrote:
> On Mar 26, 2014, at 6:14 PM, Jon Schipp <jonschipp at gmail.com> wrote:
> > I'm not so certain anymore ;)
> > It looks like you're right  that the mode is set to REREAD .
> > Though, I'm pretty sure that I've read in the documentation that a
> restart is required for the removal of items.
> > Maybe that was a mistake. Oh well.
> You are right about that. Even though reread supports the removal of items,
> the current way in which it is used in the intelligence framework does not
> seem to.
> I have to ask Seth why that is the case - it should be easy to change this.
> Bro mailing list
> bro at bro-ids.org
"Life is too short to spend time with people who suck the happy out of you."
[image: View Tom OBrion's profile on
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro