[Bro] Removing IP from Intel Framework?
michalpurzynski1 at gmail.com
Mon Sep 15 14:05:53 PDT 2014
W00t, thanks a lot, testing ASAP.
On Mon, Sep 15, 2014 at 10:53 PM, Seth Hall <seth at icir.org> wrote:
> On Sep 15, 2014, at 1:13 PM, Seth Hall <seth at icir.org> wrote:
> > I'm hoping that I can get a repository up on github today/tonight that
> makes your statement incorrect. :)
> This repository adds two features.
> - You can extend your intel log (now named intel_ext.log).
> - You can whitelist items.
> These features will likely be integrated into Bro at a future date. I'm
> trying to use this ext repository as a way to vet features for the intel
> framework before integrating them right into the main distribution.
> If you want to start whitelisting intel items at runtime, you should
> create a new intel file with an extra "meta.whitelist" field and set the
> field value to "T" (there is a test that shows this). As you add elements
> to this intel file, those items won't show up in your intel_ext.log.
> The intel file will look something like this...
> #fields indicator indicator_type meta.source meta.whitelist
> bro.org Intel::DOMAIN my_whitelist T
> You should probably maintain this as a separate file and make sure that
> you are giving the source as something distinct from where the data comes
> from originally (it's "my_whitelist" in my example).
> Have fun! :)
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro