[Bro] Intel Framework Issues

Seth Hall seth at icir.org
Mon Nov 23 12:48:17 PST 2015

> On Nov 23, 2015, at 1:47 PM, Josh Liburdi <liburdi.joshua at gmail.com> wrote:
> I think the most common gotcha for IP addresses is that they will only appear in intel.log when they are a part of a successful TCP connection. Unsuccessful TCP connections and non-TCP connections will not appear in the log.

Thanks for pointing that out Josh!  I do want to point out the reasoning behind that as a default decision.  My thinking was that spoofed packets could cause false hits and generally non-responded-to probes coming from intelligence hosts aren’t all that interesting.  Is there general agreement that that’s the right approach or should single packets hit on intelligence items by default?

I think there is a high bar to clear with adding that as default behavior, but I’d like to hear from people actively doing incident response on their thoughts.

I should also point out that we can certainly include a script that matches on non-complete connections with Bro even if we don’t load it by default.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list