[Bro] 2.5 Intelligence Framework

Jan Grashöfer jan.grashoefer at gmail.com
Wed Nov 9 11:35:52 PST 2016


Hi Erin,

> I'm trying to familiarize myself with the updates/changes to the 2.5 intel
> framework, as well as start leveraging it to greater use. I've come across
> a couple of issues I'm not quite clear how to solve yet:

I have written a blog post that was intended to be published on the Bro
Blog but somehow that was forgotten. You can find my draft for the post
here: https://gist.github.com/J-Gras/3ff4d5308a69e91fb61c65c12ecb818c
The post should help to understand the intelligence framework and the
recent updates.

> 1) Is there a way to expire intel inputs from one input source, but not
> another?

Actually my intention was to allow individual expiration for
intelligence items in the first place. Due to implementation
considerations, there is no "native support" for that feature in the
framework but the design allows to realize this feature. There is a
script (see https://github.com/J-Gras/intel-extensions) that implements
per item expiration. I think it is also mentioned in the blog post. The
script is not well tested and I haven't registered the packet, yet. In
principle it allows to specify expiration for every item using
"meta.expire". Thus you should be able to chose different timeouts for
different sources.

> 2) Is there a way to only send data to the notice framework from particular
> sources? Or perhaps this is an issue of suppressing certain emails from the
> notice framework?

Exactly. Although you should be able to suppress notices based on the
mail_ext vector (see
https://github.com/bro/bro/blob/master/scripts/policy/frameworks/intel/do_notice.bro#L66),
that would be somehow hacky. Maybe it would be better to write your own
version of the do_notice script, which allows suppression by source.

I hope this helps,
Jan


More information about the Bro mailing list