[Bro] Removing IP from Intel Framework?

Seth Hall seth at icir.org
Mon Sep 15 13:53:31 PDT 2014


On Sep 15, 2014, at 1:13 PM, Seth Hall <seth at icir.org> wrote:

> I'm hoping that I can get a repository up on github today/tonight that makes your statement incorrect. :)

https://github.com/sethhall/intel-ext

This repository adds two features.  
	- You can extend your intel log (now named intel_ext.log).
	- You can whitelist items.  

These features will likely be integrated into Bro at a future date.  I'm trying to use this ext repository as a way to vet features for the intel framework before integrating them right into the main distribution.

If you want to start whitelisting intel items at runtime, you should create a new intel file with an extra "meta.whitelist" field and set the field value to "T" (there is a test that shows this).  As you add elements to this intel file, those items won't show up in your intel_ext.log.

The intel file will look something like this...

#fields	indicator	indicator_type	meta.source	meta.whitelist
bro.org	Intel::DOMAIN	my_whitelist	T

You should probably maintain this as a separate file and make sure that you are giving the source as something distinct from where the data comes from originally (it's "my_whitelist" in my example).

Have fun! :)

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/





More information about the Bro mailing list