[Bro] Removing IP from Intel Framework?
liburdi.joshua at gmail.com
Mon Sep 15 15:24:04 PDT 2014
Just to clarify a couple things ...
Do in-line indicator changes require a restart? That is, if my intel
file is deployed with indicator blah.org and a whitelist value of F,
then later I update that value to T, do I need to restart for that
change to be picked up? IIRC you still would need to restart for the
value change to be read.
The whitelisting also wouldn't decrease any processing requirements of
the Intel framework since the initial indicator match is still
On Mon, Sep 15, 2014 at 1:53 PM, Seth Hall <seth at icir.org> wrote:
> On Sep 15, 2014, at 1:13 PM, Seth Hall <seth at icir.org> wrote:
>> I'm hoping that I can get a repository up on github today/tonight that makes your statement incorrect. :)
> This repository adds two features.
> - You can extend your intel log (now named intel_ext.log).
> - You can whitelist items.
> These features will likely be integrated into Bro at a future date. I'm trying to use this ext repository as a way to vet features for the intel framework before integrating them right into the main distribution.
> If you want to start whitelisting intel items at runtime, you should create a new intel file with an extra "meta.whitelist" field and set the field value to "T" (there is a test that shows this). As you add elements to this intel file, those items won't show up in your intel_ext.log.
> The intel file will look something like this...
> #fields indicator indicator_type meta.source meta.whitelist
> bro.org Intel::DOMAIN my_whitelist T
> You should probably maintain this as a separate file and make sure that you are giving the source as something distinct from where the data comes from originally (it's "my_whitelist" in my example).
> Have fun! :)
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> Bro mailing list
> bro at bro-ids.org
More information about the Bro