[Bro] Removing IP from Intel Framework?

Seth Hall seth at icir.org
Mon Sep 15 19:13:23 PDT 2014


On Sep 15, 2014, at 6:24 PM, Josh Liburdi <liburdi.joshua at gmail.com> wrote:

> Do in-line indicator changes require a restart? That is, if my intel
> file is deployed with indicator blah.org and a whitelist value of F,
> then later I update that value to T, do I need to restart for that
> change to be picked up? IIRC you still would need to restart for the
> value change to be read.

I wouldn't recommend setting a whitelist value in your normal intel datasets.  I would maintain it as a separate file as I recommended in my previous email.

> The whitelisting also wouldn't decrease any processing requirements of
> the Intel framework since the initial indicator match is still
> occurring, right?

Having fewer items being matched really doesn't change your processing time overhead so there isn't really an optimization to be made there.  It primarily just uses less memory at runtime but you wouldn't notice that either unless you have some sort of monstrous whitelist file.  The only case where I could see it really helping would be if you are having a really huge number of hits, but I still suspect most people wouldn't notice.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/





More information about the Bro mailing list