[Bro] Removing IP from Intel Framework?
seth at icir.org
Mon Sep 15 13:53:31 PDT 2014
On Sep 15, 2014, at 1:13 PM, Seth Hall <seth at icir.org> wrote:
> I'm hoping that I can get a repository up on github today/tonight that makes your statement incorrect. :)
This repository adds two features.
- You can extend your intel log (now named intel_ext.log).
- You can whitelist items.
These features will likely be integrated into Bro at a future date. I'm trying to use this ext repository as a way to vet features for the intel framework before integrating them right into the main distribution.
If you want to start whitelisting intel items at runtime, you should create a new intel file with an extra "meta.whitelist" field and set the field value to "T" (there is a test that shows this). As you add elements to this intel file, those items won't show up in your intel_ext.log.
The intel file will look something like this...
#fields indicator indicator_type meta.source meta.whitelist
bro.org Intel::DOMAIN my_whitelist T
You should probably maintain this as a separate file and make sure that you are giving the source as something distinct from where the data comes from originally (it's "my_whitelist" in my example).
Have fun! :)
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro