[Bro] BRO intel framework
giedrius.ramas at gmail.com
Wed Apr 29 04:42:03 PDT 2015
One more thing I need to clarify. I see in bro intel data file (generated
by CIF) Intel::URL url's have a prefix http:// . However when I visit
these URLs BRO Intel do not trigger. I tried to remove prefix http:// from
url's in BRO intel file and BRO Intel works well then. So is there anything
wrong with CIF generated BRO intel file or elsewhere ?
On Wed, Apr 29, 2015 at 8:59 AM, Nick Pratley <npratley at redhat.com> wrote:
> On Wed, 2015-04-29 at 08:43 +0300, Giedrius Ramas wrote:
> > Thanks for reply,
> > Could you please elaborate more on that point:" Also, the internal
> > intelligence representation is accumulative. If you remove something
> > from that file, Bro is still watching for it." So, for example if I
> > will overwrite the whole intel file with the new one, what happened to
> > the records from the old file ? Bro still watching for them ?
> Yes, Bro would still be watching for them, at least if
> http://blog.bro.org/2014/01/intelligence-data-and-bro_4980.html is still
> A restart is required if you want to purge entries that have been
> removed from the feeds, but not if you only want the new entries because
> Bro keeps the file open and will pick up any new additions.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro