[Bro] BRO intel framework
giedrius.ramas at gmail.com
Tue Apr 28 22:43:02 PDT 2015
Thanks for reply,
Could you please elaborate more on that point:" Also, the internal
intelligence representation is accumulative. If you remove something from
that file, Bro is still watching for it." So, for example if I will
overwrite the whole intel file with the new one, what happened to the
records from the old file ? Bro still watching for them ?
On Tue, Apr 28, 2015 at 7:10 PM, Seth Hall <seth at icir.org> wrote:
> > On Apr 28, 2015, at 3:39 AM, Giedrius Ramas <giedrius.ramas at gmail.com>
> > How can I append data to /intel.dat ? Can I just overwrite it by using
> mv linux command ?
> Yes, that’s the best option.
> > Is it necessary to reload bro once /intel.dat changed ?
> Nope. Bro will pick up the changes automatically. If you are running on a
> cluster, it will pick them up on the manager and distribute them out to the
> workers. Also, the internal intelligence representation is accumulative.
> If you remove something from that file, Bro is still watching for it.
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro