[Bro] bro 2.5 . How to get meta fields on intel.log

Jan Grashöfer jan.grashoefer at gmail.com
Thu Feb 23 05:12:38 PST 2017


Hi,

> How can we get working those bro extensions for Bro 2.4 on Bro 2.5
> Currently I get errors:
> ...
> line 20: Duplicate identifier documentation: Intel::extend_match

the intel framework has been reworked for 2.5 and includes a similar
extension mechanism (a hook instead of an event). The following blog
entry goes into details:
http://blog.bro.org/2016/12/the-intelligence-framework-update.html

> Or question is how to get meta fields on bro intel.log.?

You can use the extension mechanisms included but keep in mind that each
hit might be associated with multiple indicators and each indicator
might be associated with multiple meta data records.

Jan


More information about the Bro mailing list