[Bro] Removing intel while Bro is running

Seth Hall seth at icir.org
Thu Jul 30 12:22:11 PDT 2015


> On Jul 30, 2015, at 1:11 PM, John B. Althouse III <sudo.darkstar at gmail.com> wrote:
> 
> Is there anything I can do to fix this? I'd rather not restart Bro and lose connection states.

There will be code going into Bro before too long, but for now you can run what I wrote as an extension...

https://github.com/sethhall/intel-ext

You can see how to work with it in the testing/ directory.  Look into how the whitelisting happens.  It gives you the ability to stop monitoring for intel items by actually adding new “whitelisted” intel items.

  .Seth


--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/




More information about the Bro mailing list